Forum Discussion
shaggy
Oct 31, 2014Nimbostratus
still looks like mirroring of terminated ssl is not supported in 11.6: https://support.f5.com/kb/en-us/solutions/public/7000/200/sol7216.html
- R_MarcOct 31, 2014NimbostratusAccording to this, it should be now, unless I'm reading it wrong: https://devcentral.f5.com/articles/the-top-ten-hardcore-f5-security-features-in-big-ip-116 Number 3: SSL Session Mirroring Full SSL handshakes are computationally expensive. This is one of the reasons that enterprises use F5’s LTM as SSL decryption mechanisms. Suppose you are lucky enough to have a site with a lot of SSL traffic. What if something happens and your primary ADC stops receiving traffic and the secondary has to pick up all those active connections? You want the secondary to perform cheap resumption handshakes (based off a shared session ID cache) with all the clients instead of full handshakes. mirroring You can now share SSL session ID caches across traffic groups so that failovers won’t cause massive spikes in full SSL handshakes.
- shaggyOct 31, 2014Nimbostratuscan you provide the output of list ltm profile client-ssl clientssl all-properties? I don't have an 11.6 LTM at hand, but the ssl state mirroring feature could be similar to persistence mirroring where it's configured under the profile and is different than connection mirroring. You might also check the traffic-group configuration and system | general to see if it's a global setting.
- R_MarcOct 31, 2014NimbostratusSure. I just replicated on a VM version (to take fips out of the picture) and it fails the same way.
ltm profile client-ssl myvirtual-client-ssl-profile { app-service none authenticate always authenticate-depth 9 ca-file CA.crt cert test-ssl-mirror.crt cert-key-chain { test-ssl-mirror_test-ssl-mirror { cert test-ssl-mirror.crt key test-ssl-mirror.key } } client-cert-ca PRD_MC_Production_Network_Applications_Root_CA.crt crl-file none defaults-from clientssl inherit-certkeychain false key test-ssl-mirror.key options { dont-insert-empty-fragments } passphrase none peer-cert-mode request retain-certificate true session-mirroring enabled }
ltm profile server-ssl myvirtual-server-ssl-profile { alert-timeout 10 app-service none cache-size 262144 cache-timeout 3600 chain none ciphers DEFAULT defaults-from serverssl handshake-timeout 10 mod-ssl-methods disabled options { dont-insert-empty-fragments } proxy-ssl disabled renegotiate-period indefinite renegotiate-size indefinite renegotiation enabled secure-renegotiation require-strict server-name none session-mirroring enabled session-ticket disabled sni-default false sni-require false ssl-forward-proxy disabled strict-resume disabled unclean-shutdown enabled }
- R_MarcOct 31, 2014NimbostratusI also didn't see anything pertinent in the traffic-group settings: Identifier: [object identifier] Name of the traffic-group Properties: "{" Optional delimiter app-service The application service that the object belongs to. auto-failback-enabled Set to true to enable auto-failback auto-failback-time Sets the time for auto-failback default-device description User-defined description ha-group The name of HA group with which to associate ha-load-factor A value of the load the traffic-group presents the system relative to other traffic-groups. ha-order The order in which devices will become active for the traffic-group mac Mac Address for the traffic-group