Proxy SSL and ECC ciphers
So I know that currently Proxy SSL does not support anything other than RSA key exchanges. I don't know if anyone had found any other way to do certificate authentication on the web server while still maintaining ASM inspection. I have an application where we have been restricting it down to RSA key exchanges only in order to use Proxy SSL so that the client cert could still pass to the web server but we could keep ASM inspection of the content. Now we have an issue where we need to turn on ECC ciphers, which will break Proxy SSL inspection and possibly force us to completely bypass ASM inspection. I would prefer not to bypass ASM but not seeing a way around it right now. Any help would be appreciated. Thanks.
Problem ProxySSL with two pools.
Hi, I have a VS with ProxySSL enabled (profile SSL client and server), and two pools with HTTPS (A_pool and B_pool). I configure the A_pool as default pool in VS and works correctly. But when I change to B_pool, through a iRule, show a error. How can I change the default pool through a iRule? Very thanks.
ProxySSL - tracking the client
Consider the following scenario: A virtual server is defined with a ProxySSL rule to inspect traffic before passing the stream to another virtual server. Question: If a connection is inspected, then rejected by the ProxySSL VS for some reason, is there any way to associate the connection with a client other than source IP? Is there any way to determine the client certificate or the SSL session ID in the ProxySSL VS?Enable/Disable ProxySSL in iRule
Is there a way to enable and disable the ProxySSL feature of an assigned client or server SSL profile within an iRule? I have a virutal server that hosts many different application. Pools and whether or not a serverside SSL profile is required are assigned based on URI. All site except one have SSL terminated at the BIGIP. However, one not only requires server side SSL but also requires that the client certificate be passed through to the server for authentication. ProxySSL requires that both the client and server SSL profile have the feature turned on, but when I assign the profile to the virtual server the sites that don't need server side SSL stop working. Any help would be appreciated.Issues with Proxy SSL
I have an Active Sync application where we are using the Proxy SSL on an ASM in order to pass client certificate authentication. We have started noticing that when sending messages with attachments bigger than roughly 2.5mb get an error that they are not sent. When tracing the connection and running it through ssldump I see the data packets start flowing from the client to the VIP on the ASM and then mid stream on the data connection I start seeing this in the SSLdump. Those messages go on for a few seconds until the server side closes the connection. There is no block in ASM and nothing in the LTM logs either. I check the ciphers and protocols supported on the server and they are all supported by the ASM. When I remove the ASM and let client talk directly to the server the issue clears up. Has anyone seen this before any thought would be helpful. I am running 11.4.1 HF7 in prod and I did try running it through a 11.5.2 HF1 build I have in my lab and the same issue occurs. 9 111 3.2153 (0.0009) C>SShort record Unknown SSL content type 1 9 112 3.2184 (0.0030) C>SShort record Unknown SSL content type 35 9 113 3.2202 (0.0018) C>SShort record Unknown SSL content type 241 9 114 3.2225 (0.0023) C>SShort record Unknown SSL content type 15 9 115 3.2243 (0.0018) C>SShort record Unknown SSL content type 242 9 116 3.2272 (0.0028) C>SShort record Unknown SSL content type 48 9 117 3.2290 (0.0017) C>SShort record Unknown SSL content type 0 9 118 3.2314 (0.0024) C>SShort record Unknown SSL content type 176 9 119 3.2338 (0.0023) C>SShort record Unknown SSL content type 197 9 120 3.2985 (0.0647) C>SShort record Unknown SSL content type 174 9 121 3.3009 (0.0023) C>SShort record Unknown SSL content type 230 9 122 3.3044 (0.0035) C>SShort record 9 123 3.4143 (0.1099) C>SV90.118(44194) bad MAC Unknown SSL content type 37Forward client certificate to server in V10 LTM
We have an application which use client certificate for authenticate users. So far we had setup this as SSL pass through mode. But now they want to drop some connection base on specific word on URI, we need to install SSL cert on LB to look into URI. And application team want to see the client cert. I read about PROXY SSL feature to achieve this but look like that is available on V11. But our LB is V10. Can we achieve this on V10 ? ThanksBig IP proxy SSL on multiple Big-IP systems
Hello, There is some information available to implement Proxy SSL on a single Big-IP system where the client SSL profile and Server SSL profile are setup on the same Big-IP. Implementing Proxy SSL on a Single BIG-IP System I have an SSL air gap configuration where one clients connect to one Big-IP and the pool members are on another Big-IP. Can I configure proxy SSL on such a configuration where the client SSL profile exists on machine and the Server proxy SLL profile exists on another machine? Here is the flow of traffic: Client --> SSL VIP on Big-IP 1 --> SSL VIP on Big-IP 2 --> Pool members I am using Big-IP version 12.1.2. Regards, Akmal Zeb
