SSL HandShake in F5 Load Balancer BIG-IP System

SOL15292 – Troubleshooting SSL / TLS handshake failures

The BIG-IP system offers several ways to manage SSL traffic:

  • SSL passthrough: The virtual server is configured to listen for SSL connections on a port, such as 443, but does not terminate the SSL connection. Under this configuration, the BIG-IP system passes the encrypted requests to the pool members.
  • Client SSL profile: The virtual server references a Client SSL profile, which enables the BIG-IP system to accept and terminate client SSL requests. Using this configuration, the system decrypts SSL client requests, and then sends the requests to the server. The system then re-encrypts the server responses before sending them back to the client.
  • Server SSL profile: The virtual server references a Server SSL profile, which enables the BIG-IP system to initiate secure connections to the SSL servers.
  • The SSL proxy feature: The SSL proxy feature allows the BIG-IP system to optimize SSL traffic between the client and the destination server without terminating the SSL connection.

If you have configured the BIG-IP system to process SSL connections using one of the previous methods, there may be occasions when you need to perform troubleshooting steps related to the SSL handshakes. Before troubleshooting the SSL handshake, it is helpful to review the handshake protocol.

SSL handshake overview

SSL communication consists of a series of messages exchanged between two parties (client and server). The SSL handshake between a client and server consists of nine steps, and appears as follows:

Detailed Description on F5 Handshake