Denying SSL client untrusted CERT connections

Question

Is there a way to deny a client request connecting to https when it gets the untrusted cert error? I want to roll out a private trusted root certificate along with an intermediate chain on internal tablet devices but host an external website to only be used by them. So if anyone comes in not trusting the SSL certificate presented by the F5 VIP can we reject that client. What would the irule look like?

yann_desmarest · Answer

Hi,&nbsp;
You can implement HSTS header using irule, LTM policy or simply using by checking the option in the HTTP profile. Errored SSL connections to your server will be rejected by the browser. &nbsp;
You have also an option to provide Public Key Pinning. This feature control that the certificate you see is the same that the server provides. It disallow SSL interception / MiTM.&nbsp;
Regards&nbsp;
Yann&nbsp;

kevin_stewart · Answer

The simple answer is no though. You cannot control the behavior of the client. HSTS provides that the client always talks to the server over HTTPS, and certificate pinning only ensures that there's no MITM.

Forum Discussion

Denying SSL client untrusted CERT connections

Recent Discussions

Service discovery is not happening in AS3

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

Related Content

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Deny access to F5 management from specific addresses

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

AWS Transit Gateway Connect: GRE + BGP = ?

DevCentral Connects hosts Capture the Flag!

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS