Forum Discussion
NimbostratusAlignment between standard Virtual Server SSL verification and iRule events
NimbostratusThank you :-)
One question just for confirmation if that is OK - apologies for the dumb questions I am just learning...
The info for "SSL::verify_result" says "Gets the result code from peer certificate verification".
I take it this means that the LTM has already checked the cert (CA & CRL), and this command just does a result lookup rather than actually making the LTM run the checks at the point the command is issued?
NoctilucentApologies on the late response, dint get any notification :/
Its my understanding, that the LTM would use its own defined functions to validate it. The x509 is like a sub event itself. I have read some articles which said its similar to the openssl functions thats set to display the errors and others.
I take it this means that the LTM has already checked the cert (CA & CRL) --> No, these are real time executions on the Irule. Whenever the VS gets the traffic, The Irule starts processing, it perform the checks.
So lets say your client is sending a cert at 10 AM and has its connections established. Maybe after some idle time out, session gets closed. Again when the connection is established, the Cert will be validated again. We also have session resume which helps reduce the full tls. So the client cert check wont come into picture as its a resuming session. You can put logging to see when all what events are getting triggered.
And by 11 AM if your cert is expired, and if its coming in a new connection, the LTM will capture it and will give a verify result code as 10.
It wont perform CRL check everytime, that is something the browser (client machine) will perform with the CA endpoint.
