101 · Question #40
Which statement is true concerning SSL termination.
The correct answer is A. A virtual server that has both ClientSSL and ServerSSL profiles can still support cookie. When a virtual server has both ClientSSL and ServerSSL profiles, the BIG-IP decrypts inbound SSL traffic, enabling L7 features like cookie persistence to inspect and act on the cleartext payload.
Question
Which statement is true concerning SSL termination.
Options
- AA virtual server that has both ClientSSL and ServerSSL profiles can still support cookie
- BDecrypting traffic at the BIG-IP allows the use of iRules for traffic management, but increases the
- CWhen any virtual server uses a ClientSSL profile, all SSL traffic sent to the BIG-IP is decrypted
- DIf a virtual server has both a ClientSSL and ServerSSL profile, the pool members have less SSL
How the community answered
(16 responses)- A50% (8)
- B6% (1)
- C19% (3)
- D25% (4)
Why each option
When a virtual server has both ClientSSL and ServerSSL profiles, the BIG-IP decrypts inbound SSL traffic, enabling L7 features like cookie persistence to inspect and act on the cleartext payload.
Having both a ClientSSL profile (client-side SSL termination) and a ServerSSL profile (re-encryption toward pool members) places the BIG-IP in an SSL bridging or full-proxy mode where cleartext is available between the two SSL sessions. This cleartext window allows L7 features such as cookie persistence, HTTP profiles, and iRules to inspect and manipulate the payload before traffic is re-encrypted and forwarded to the pool members.
Decrypting traffic at the BIG-IP offloads SSL processing from pool members, reducing their CPU overhead - it does not increase backend burden; the added load is borne by the BIG-IP itself.
A ClientSSL profile only decrypts SSL traffic directed to the specific virtual server it is associated with, not all SSL traffic arriving anywhere on the BIG-IP.
When both ClientSSL and ServerSSL profiles are configured, the BIG-IP re-encrypts traffic before sending it to pool members, meaning pool members still perform full SSL processing and do not benefit from reduced SSL overhead.
Concept tested: F5 BIG-IP SSL bridging and L7 feature visibility
Source: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-local-traffic-management-profiles-reference/ssl-profiles.html
Topics
Community Discussion
No community discussion yet for this question.