Forum Discussion

Erik88's avatar
Erik88
Icon for Nimbostratus rankNimbostratus
Feb 24, 2020

Does server ssl profile check a web-server certificate validity ?

Hi :)

 

I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate.

I have a full proxy, client side works properly and server side also with default serverssl profile.

But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure").

In server ssl profile we configure this options:

 

  • Server Certificate: Require
  • Untrusted Certificate Response Control: Drop

 

The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle.

We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also.

How we can accomplish this goal ?

 

Thanks,

Eric

  • NAG's avatar
    NAG
    Icon for Cirrostratus rankCirrostratus

    Hi Eric,

     

    It depends on what type SSL certificates your web servers are using.

     

    1) if certificates are signed by a public CA, then use following option to validate the certificates.

    Trusted Certificate Authorities:: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.

     

    2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as Trusted Certificate Authority.

     

    Hope this helps,

    Nag

     

  • Erik88's avatar
    Erik88
    Icon for Nimbostratus rankNimbostratus

    Hi NAG,

     

    Thanks for the answer, did it as you say but also fails.

     

    Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.

     

    I did some test in this bundle certificate file, including different certificates:

    1- Root + Intermediate + Server CA certificates

    2- Only root file

    3- Only Root + Intermediate CA certificates

    4- Only Server CA certificates

     

    All four previous files failed when try to reach web-server.

    Doing a pcap i find this:

    • Level: Fatal (2)
    • Description: Handshake Failure (40)

     

    Thanks :)

  • Silly question, did you check the certificate sent back by server in your capture? Alex.

  • Erik88's avatar
    Erik88
    Icon for Nimbostratus rankNimbostratus

    Hi Alex,

     

    I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.

    Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.

     

    Thanks

  • Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.

    I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. :)

    Thanks,

    Alex

  • P.s: I meant do a tcpdump on BIG-IP on server-side facing vlan and then open in Wireshark... Oh if you are in prod, then you may want to do this out of hours or on a change...

  • Erik88's avatar
    Erik88
    Icon for Nimbostratus rankNimbostratus

    Thanks to everybody :)

    I take a tcpdump and i have to examine more carefully yet.

     

    Regards