Forum Discussion

Ragunw_350436's avatar
Ragunw_350436
Icon for Nimbostratus rankNimbostratus
Jan 31, 2018

Need of SSL Server Profile

HI All, i am new to F5 environment. please help me to get understand/clarify my below doubts.. We have below design and we have configured SSL client and SSL server profile. Could some one explain how the communication happen between f5 and physical server. client -->F5 box --> 2 physical servers 1 ) SSL server profile using the same certificate as configured in SSL Client. 2 ) What are the packets will get exchange when f5 initiate the connection to the physical servers when SSL server profile is configured. 3) F5 will initiate the session key or physical server initiate the session key ? 4) Does real servers really required to install SSL certificates on it. 5) what will happen if i remove the SSL certificate from the physical server ? will traffic get encrypted ?

 

3 Replies

  • ClientSSL and serverSSL profiles are quite similar but they are quite different at the same time (hope this makes sense). The important thing to understand is that clientSSL manage the client side of the connection and serverssl the server side, remember big-ip is a full proxy, no matter what client and server connectionas are different.

     

    When you configure clientSSL and set certificate and key, that will be use when the SSL handshake happen between the client and you big-ip. In you serverssl profile this configuration has a different meaning due the server side context, the certificate and key will be use by the big-ip as client in the server side connection hence it will use the certificate to authenticate itself to the server. During the SSL handshake it will present the certificate you have in your profile to the server as a authentication mecanism. Honestly this is not very usual but the option is there.

     

    Give this, you have several options to configure your bigip: SSL offload, SSL bridge, SSL forward, etc.

     

    90% of the times you will use SSL offload or SSL bridge, that's my experience. SSL offliad only requires a clientssl profile, on the server side you configure your pool of web server in the http port and the traffic goes in plain. SSL bridge adds the serverssl profile to get the traffic encrypted again hence you need your pool configure to send traffic to ssl port (and yes you still need a certificate, it can be any as this one is not expose to the client)

     

    Regarding session keys, this is something negotiated between the peers during the SSL handshake, it is not something really initiated on one side.

     

    • newbie's avatar
      newbie
      Icon for Altostratus rankAltostratus

      Hi Daniel,

      So, for the client side SSL, I usually get the cert from my customer and create the client side SSL profile. Would the same apply to the server side SSL connection or could I use one of the available server side SSL profiles?

       

      Thanks.