Forum Discussion

Dayesh_263997's avatar
Dayesh_263997
Icon for Nimbostratus rankNimbostratus
Dec 12, 2018

SSL offloading query

Hello Team,

 

Below is the flow :

 

Client ----HTTPS (443)--->LTM ----> HTTPS (8443)

 

A customer requires LTM to do the SSL offloading to achieve this, however, I have configured client SSL profile (with certs/keys imported on it). The server listens on Port 8443 only.

 

Is it required to configure server SSL profile here? If yes, can I use the default serverssl profile.

 

Please advise.

 

Regards,

 

Dayesh

 

4 Replies

  • If the backend server is listening to HTTPS at port 8443, you need a serverssl profile. I always start with the serverssl-insecure-compatible profile, just to confirm it is working. Then replace the profile with a more secure profile.

     

  • Hi,

     

    Yes in this case you need a: - client ssl - server ssl

     

    Yes you can use serverssl defaul porfile, I advise you to use "serverssl-insecure-compatible" for server ssl profile. And of course is required in your case.

     

    Just keep in mind that serverssl-insecure-compatible profile types to allow negotiation of weak Secure Sockets Layer (SSL) ciphers for a BIG-IP virtual server. The cipher lists for the clientssl-insecure-compatible profile include some deprecated ciphers, such as DES-CBC-SHA and all MD5 cipher suites. It will allow you to negotiate with your backend even if it use depreciate cipher or use bade cert (not signed by trusted CA, ...)

     

    regards.

     

  • You must ask these questions :

     

    does the client side connection requires ssl?

     

    If yes, assign a client ssl profile

     

    does the server side connection requires ssl?

     

    If yes, assign a server ssl profile

     

  • Thank you all.

     

    I will test the flow and get back with my observations.

     

    Regards,

     

    Dayesh