Forum Discussion

ranshe_75308's avatar
Icon for Nimbostratus rankNimbostratus
Jan 21, 2012

F5 & VeriSign intermediate chain



Installed VeriSign commercial certs on my F5, added those to Client SSL profile (inheriting from default "clientssl" profile).


Added VeriSign intermediate bundle (G3 & G5).


Added this to the "chain" portion of Client SSL profile.


Applied profile to virtual server.



When accessing virtual server, most of the time I'm able to connect, but sometimes I can't - I get an error along the lines of "Unknown CA".



Another verification method used is VeriSign's tool (see which accesses the specified addresses and verifies the chain - similar issue, most times it returns success, but sometimes it says chain is invalid - and the chain it recommends to add is the one which is installed...



Next step was tcpdump - and indeed the response returned is totally different.


On success, the packet returned in "Certificate, Server Hello done" message is 1466 long, and on failure it's 164 long.


Looking at those two packets with a text editor, you see that the longer one mentions G5 whereas the shorter only has the G3.



After this long story - why would the F5 only return a partial string at times??





3 Replies

  • Was the tcpdump run on LTM? If so, I suggest opening a case with F5 Support to document the issue. If it wasn't from LTM, can you check if you see the same bad behavior on LTM itself?



  • Dump was taken on LTM, yes.


    A case had been opened by our F5 pre-sales guy - I'm wondering who will figure this one out first - support or the community :)





  • Closed.


    We created a second (identical in content) SSL chain under a new name and then added that to the client-side SSL profile.



    This seemed to clear the issue - apparently when we first used the "override" option it left some 'ghosts' in the system.