Forum Discussion
The beast did it when i have excluded DH, DHE..
Yes, it is important here to understand exactly what Proxy SSL Passthrough is, and what it is doing in order to understand when the application-layer features (HTTP Profile, WAF, etc) are and are not applied.
Proxy SSL:
With the original version of Proxy SSL configured, the LTM has a copy of the server's private key and it uses that to perform what is essentially a Man in The Middle (MITM) attack on all traffic where those SSL Profiles are applied
Unfortunately, DH/DHE cipher suites are specifically designed to safeguard against MITM attacks. Proxy SSL also has several other incompatibilities, like TLS Session Tickets. If any of these are present, Proxy SSL will break and traffic will simply fail.
Because of this, F5 eventually added the Proxy SSL Passthrough mode.
Proxy SSL Passthrough:
Proxy SSL Passthrough is exactly the same as standard Proxy SSL, except that when incompatible (DH/DHE) ciphers are negotiated the LTM will bypass Proxy SSL completely (as if you had not configured any SSL Profiles) instead of dropping the traffic.
However, this is a problem if you are relying on being able to decrypt the traffic for any other purpose (HTTP Profile, iRules, APM Policies, ASM WAF inspection, etc).
My personal recommendation is to avoid Proxy SSL unless absolutely necessary. Is there any reason you can't use SSL Offloading or SSL Bridging configurations here?