Forum Discussion

gongya's avatar
gongya
Icon for Altocumulus rankAltocumulus
Dec 04, 2023
Solved

SSL Profiles

If I do not use any ssl profiles for a vserver, F5 accepts any cipher suite if that suite is within DEFAULT cipher suite ?

F5 also uses the cipher suite to negotiate with the real servers ?

Can I use different ciphers for ssl client and ssl server ssl profiles?  if yes, does that mean the client can negotiate with vservers with TLS1.1 and F5 can negotiate with the real servers via TLS1.3 ?

We have some servers only supporting older ciphers, but the remote sites have already retired those ciphers. Can we use F5 to solve this?     our sersers ----- TSL1.1 ----> F5 -----TLS1.3------> remote servers  ?

thanks !!

  • Hi Gongya,

    There are 3 Types of SSL communication possibe

    1. SSL Passthrough = No Client Side SSL Profile + No Server Side SSL Profile, that means F5 VIP will accept encrypted packets but F5 cannot see any packet headers and simply pass the SSL packets as it is to the backend pool members.

    2. SSL OffloadingOnly Client Side SSL Profile No Server Side SSL Profile, communication between user and F5 VIP is encrypted traffic got decrypted and then further from F5 to the backend pool member is sent in PLAIN Text if your communication between F5 and backend pool is secured by firewall. 

    3.  Full SSL Proxy / SSL Re-Encryption =Both  Client Side SSL Profile &&  Server Side SSL Profile are applicable, communication between user and F5 VIP is first encrypted traffic got decrypted using client SSL profile ,   and now F5 can see headers and data in SSL packets which are now visible in PLAIN text , & now F5 can see headers and modify if needed and once modification of packets done , then further from F5 to the backend pool member this  PLAIN Text packets will again get re-encrypted using Server Side SSL profile,  if your communication between F5 and backend pool is not secured by firewall , in those conditions its safe to re-encrpt the packets using Server Side SSL profiles and send those encrypted packets to the backened pool members. 

    Your case is kind of SSL passthrough where F5 will just accept the encrypted packet on vServer we call it Virtual Sever in F5 or simple VIP, and pass it to the backened pool memebers as it is as due to the absence of client side ssl profile F5 is unable to decrypt these packets just arrived at the VIP  , without seeing the packet from inside , untill you provide SSL key to decrypt the packet first into plain text and then read the packet headers and packet content and then later on you can think of making any changes to the F5 ciphers or any other headers or anything , please consider modification of SSL packets is not allowed till you decrypt them with a SSL key after recieving encrypted packets, the ony method to decrypt encrypted packets on F5 after arrival is through applying CLIENT SIDE SSL profile, hope it expains what oyu are looking for.

    In your case as you mentioned above , Without getting  the relevant cert and key (in some cases chain certificate also required but that is optional and case by case dependency)from the remote site or your backed pool memebers , you cannot apply SSL profiles on your F5 VIP or vServer, as without having a key to decrypt the encrypter packet recieved on vServer , F5 have no visibility to decrypt the SSL packets and look inside the packet hders and no way to modify any weak ciphers or do any sort of modification on any headers as if packet is encrypted it is not allowed to make any modifications during the transit, else if you try to apply any modification the packet will get tampered and once it will reach the destination packet will b declared modified before reaching the destination and will be kind of MIM or Man In the Middle attack and will be discarded or dropped.

    If your packets are plain text then only you can apply server side SSL profile, else you will re-encrypt the packets recieved at vServer and now encrypted packet is encrypted once more and now it has 2 SSL layers, still your inside SSL packet headers still contain the weak ciphers, this will not help.

    To apply a Server Side SSL profile only, your traffic recieved at vServer should be first decrypted to Plain Text with the help of CLIENt SSL Profile  before forwarding to the bakend pool members , else it will fail if you encrypt an encrypted packet twice.

     

    HTH

    🙏

     

     

     

     

5 Replies

  • Hi Gongya,

    There are 3 Types of SSL communication possibe

    1. SSL Passthrough = No Client Side SSL Profile + No Server Side SSL Profile, that means F5 VIP will accept encrypted packets but F5 cannot see any packet headers and simply pass the SSL packets as it is to the backend pool members.

    2. SSL OffloadingOnly Client Side SSL Profile No Server Side SSL Profile, communication between user and F5 VIP is encrypted traffic got decrypted and then further from F5 to the backend pool member is sent in PLAIN Text if your communication between F5 and backend pool is secured by firewall. 

    3.  Full SSL Proxy / SSL Re-Encryption =Both  Client Side SSL Profile &&  Server Side SSL Profile are applicable, communication between user and F5 VIP is first encrypted traffic got decrypted using client SSL profile ,   and now F5 can see headers and data in SSL packets which are now visible in PLAIN text , & now F5 can see headers and modify if needed and once modification of packets done , then further from F5 to the backend pool member this  PLAIN Text packets will again get re-encrypted using Server Side SSL profile,  if your communication between F5 and backend pool is not secured by firewall , in those conditions its safe to re-encrpt the packets using Server Side SSL profiles and send those encrypted packets to the backened pool members. 

    Your case is kind of SSL passthrough where F5 will just accept the encrypted packet on vServer we call it Virtual Sever in F5 or simple VIP, and pass it to the backened pool memebers as it is as due to the absence of client side ssl profile F5 is unable to decrypt these packets just arrived at the VIP  , without seeing the packet from inside , untill you provide SSL key to decrypt the packet first into plain text and then read the packet headers and packet content and then later on you can think of making any changes to the F5 ciphers or any other headers or anything , please consider modification of SSL packets is not allowed till you decrypt them with a SSL key after recieving encrypted packets, the ony method to decrypt encrypted packets on F5 after arrival is through applying CLIENT SIDE SSL profile, hope it expains what oyu are looking for.

    In your case as you mentioned above , Without getting  the relevant cert and key (in some cases chain certificate also required but that is optional and case by case dependency)from the remote site or your backed pool memebers , you cannot apply SSL profiles on your F5 VIP or vServer, as without having a key to decrypt the encrypter packet recieved on vServer , F5 have no visibility to decrypt the SSL packets and look inside the packet hders and no way to modify any weak ciphers or do any sort of modification on any headers as if packet is encrypted it is not allowed to make any modifications during the transit, else if you try to apply any modification the packet will get tampered and once it will reach the destination packet will b declared modified before reaching the destination and will be kind of MIM or Man In the Middle attack and will be discarded or dropped.

    If your packets are plain text then only you can apply server side SSL profile, else you will re-encrypt the packets recieved at vServer and now encrypted packet is encrypted once more and now it has 2 SSL layers, still your inside SSL packet headers still contain the weak ciphers, this will not help.

    To apply a Server Side SSL profile only, your traffic recieved at vServer should be first decrypted to Plain Text with the help of CLIENt SSL Profile  before forwarding to the bakend pool members , else it will fail if you encrypt an encrypted packet twice.

     

    HTH

    🙏

     

     

     

     

    • gongya's avatar
      gongya
      Icon for Altocumulus rankAltocumulus

      WOW. so clear explanation.   thanks so much !!

  • yes, it is possible to use different cipher sets in client side and server side, which is configured via client/server ssl profiles.
    usually i use weaker ciphers in server side, e.g. aes 128 instead of 256 bits, to reduce ssl processing load in servers.

  • thanks so much !!

    We have a remote to decommision some cipher suites which we are still using. So the link is boken. We are trying to look for any possibility to solve this. The basic idea is that our servers with older ciphers connecte to the F5 vserver which connects to the remote site with newer ciphers.

    I am stuck with how to use the ssl profiles in the vserver.

    I created a new ciphers group,  a new server ssl profile with TLS1.3 enabled. Then I only applied the server ssl profile to the vserver. Should that work ?

    I can't add client ssl profile to the vserver, as we can't get the cert and key from the remote site.

    Am I reasonable ?

    thanks a lot !!