For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Nov 26, 2015

Checking server cert CN

Howdy,

 

Running 10.2.4 still and looking to find any way to validate a server certificate name. There's the "Authenticate Name" option on the serverssl profile, however we have multiple endspoints each with a site specific DN on their cert. I'd check that a consistent name is present as a SAN, but get the impression that the SAN list isn't checked with Authenticate Name? What about Wildcards or regexes in that field?

 

SSL::cert does not work on server side calls right? So is there no possible iRule based appraoch to this either?

 

Thanks

 

Chris

 

application delivery
certificate
iRules
LTM

4 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Nov 29, 2015

    just checked this and it works fine on server side. what doesn't work well on server side is the SSL::verify_result

    Nov 29 17:43:21 bigip-01 info tmm[32037]: Rule /Common/irule-check-serverside-ssl : Server SSL SERVERHELLO happened
Nov 29 17:43:21 bigip-01 info tmm[32037]: Rule /Common/irule-check-serverside-ssl : Server SSL handshake happened
Nov 29 17:43:21 bigip-01 info tmm[32037]: Rule /Common/irule-check-serverside-ssl : Cert found
Nov 29 17:43:21 bigip-01 info tmm[32037]: Rule /Common/irule-check-serverside-ssl : X509 Certificate Subject CN=simpleidp,..........
    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Nov 29, 2015
      good point, don't have that version around to test. have you tried on 10.2.4, do you get an error or nothing?
    • Chris_Phillips's avatar
      Chris_Phillips
      Icon for Nimbostratus rankNimbostratus
      Nov 29, 2015
      Error, says it can't evaluated in that context if I remember right.