Forum Discussion

Mate_132781's avatar
Mate_132781
Icon for Cirrostratus rankCirrostratus
Mar 30, 2016
Solved

SSL Re-Encryption - No SSL traffic on server side

Hi,   I configured SSL re-encryption on F5 virtual edition, but I don't see SSL traffic on server side.   Client correctly connects to outside IP of F5, but when I create TCPDUMP there is no SS...
application delivery
BIG-IP
re-encryption
ssl
TMOS
  • Mate_132781's avatar
    Mate_132781
    Apr 01, 2016

    Thank you for hint! :-)

     

    To be sure I disabled HTTPS monitor on BIG-IP and after that there was no any traffic to server. After starting HTTPS connection from client I noticed that F5 used outside IP adress (one to which client connected) as a source IP address torward server. SNAT auto-map was enabled on VS.

     

    After that I created SANT pool with inside IP address of F5, associate it with VS and now everything is working.

     

    Monitor traffic confused me in TCPDUMP.

     

    Thanks for help.

     

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 30, 2016

How do you determine presence or no presence of SSL traffic? Do you open your capture file and expect to see TLS/SSL messages? SSL/TLS messages, such as CLIENTHELLO are only seen after you import the SSL private key to WireShark (private key from end-server). Before that is done, all traffic is encrypted, and can only be seen as TCP 443 stream.

 

On a very basic level, I hope you're aware that if you configure serverssl profile, that configuration itself doesn't re-encrypt traffic before forwarding it to end-server, unless your end-server listener is SSL-enabled, and correctly presents a SSL certificte. The serverssl profile configuration only enables F5 itself to act as a client during SSL handshake phase.

 

  • Mate_132781's avatar
    Mate_132781
    Icon for Cirrostratus rankCirrostratus
    Apr 04, 2016
    Access to WEB servers is working and pure HTTP is disabled on application. I'm aware of things you wrote. Thank you very much for help. :-)