serverssl for some reason is not working

Question

hello,&nbsp;
I have a webserver application that cannot yet support SSL offloading and we need to configure Serverside SSL.&nbsp;
I have an iis webserver with a certificate installed and working with https (port 447).I created and ssl profile mycert_profile that inherits from serverssl profile and under server authentication  for Server Certificatehave selected  required. Created a pool with node:447Created a vip HTTPS (443). Added the default http profile and under server certifcate selected the  serverssl cert i created. selected the pool.
Am i missing something because  for some reason it is not working. Any guidance at the earliest is highly appreciated.
 Shows website took too long to load. check settings&nbsp;

david__pasch_24 · Answer

Does it work with the default sslserver profile?&nbsp;
Did you put a value in the Authenticate Name field when requiring authentication?&nbsp;
If you select Require as the Server Certificate setting, you must also specify a value in the Authenticate Name setting. A blank Authenticate Name setting indicates that all servers are authenticated, even though you have specified Require as the Server Certificate setting.&nbsp;

snz_298769 · Answer

I have also tried with default sslprofile. with ignore. with the same result.&nbsp;

snz_298769 · Answer

For the autenticate name - i had put in fqdn name. The cert is a wildcard &nbsp;

leonardo_souza · Answer

I think there is misunderstanding about client authentication.
Also, your configuration is missing a client ssl profile, and because you are using a HTTP profile that is never going to work.&nbsp;
Looking the connection between the F5 and the backend server, F5 is the client and backend server the server.
Majority of SSL/TSL connections don't use client authentication, so unless you need a certificate in your pc when you connect directly to the server, you don't need to do client authentication in the server ssl profile.&nbsp;
Resuming, add a client ssl profile that has the same certificate and key that the server uses, use the default server ssl profile (no configuration needed for this profile).&nbsp;
If you have a HTTP profile, the F5 must be able to decrypt the traffic to see HTTP data before it opens the server side connection.
In your case, F5 only sees encrypted data, and never opens the server side connection.&nbsp;
If you still have problems with a client ssl and server ssl, remove HTTP/clientssl/serverssl profiles.
With this configuration, the SSL handshake is between the client and the backend server.
So, you can verify if there is any other problem like networking.
Also, if you don't need to manipulate the HTTP data, like using cookie persistence, a configuration without these 3 profiles is a valid setup, with the advantage that changes to certificate does not requires change to F5 configuration.&nbsp;
If you want understand more about how this works, read this article:&nbsp;
https://devcentral.f5.com/articles/ssl-profiles-part-1&nbsp;

Forum Discussion

serverssl for some reason is not working

4 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Activate serverssl profile in iRule

Working with MasterKeys

F5 iRUule not working

BIG-IP connection mirroring in public cloud doesn't work, but why?

serverssl cipher suites