Debugging ServerSSL Profile Setup

Employee

Nov 26, 2019

So let's understand what is going on with the server-ssl profile and compare it to the curl command ...

curl --cacert ca-ocp.pem https://app1.openshift.test

Send a ClientHello to the SSL server app1.openshift.test.

When the ServerHello returns the certificate, validate it against the Certificate Authority defined in ca-ocp.pem before connecting.

With a server-ssl profile, we validate the returned certificate against the settings set in the Server Authentication section - the servers (pool members) are specifically defined, and may be configured with self-signed or non-public certificates, so we usually just trust them.

This is the equivalent of

curl -k https://app1.openshift.test

But the server-ssl profile also does not know the name of the target server - the pool member is specified by IP.

curl -k https://192.168.1.1

Here is where you probably fail - the target server needs a Server Name Indication (SNI) to identify the correct service to respond with. This is specified in the Server Name field of the server-ssl profile.

You also need to use an irule/Local Traffic Policy to select the correct server-ssl profile or pass-through the request SNI to the server-side ssl request:

SNI Routing with BIG-IP

Client side to server side SNI relay iRule

Forum Discussion

Debugging ServerSSL Profile Setup

Recent Discussions

Reporting Help Needed

Switch ssl profile based on weak cipher detection via IRULE

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

full-proxy HTTP2

Related Content

Activate serverssl profile in iRule

Update your DevCentral user profile

SSL Profiles

DoS Profiles

Debugging API calls with the python sdk

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS