Forum Discussion
NimbostratusHow https monitor work ?
Like to know how the https monitor work, means what happen in background when we assigned https monitor to pool.
-Does it use Openssl command in background ?
-Does it usr curl command in background ?
-Or any other mechanism ?
Also notices that sever response do not contain any certificate in it. Please check the attached doc.
8 Replies
What_Lies_Bene1Cirrostratus
Have you specified a send and receive string? If not only a service check is performed (possibly why you don't see a certificate). You should configure a send and receive string to ensure the full monitor functionality is used.
I don't believe OpenSSL or curl are used to perform the monitoring, this is a built in TMM function; however OpenSSL may be used to 'handle' the SSL if necessary.
mishpan_70054Thanks for your response we do have send & receive string define but still I am seeing below mentioned handshake flow and I can see it is marking the pool member up.
Client send -->client hello
Server send -->Server Hello; Change Cipher Spec, Encrypted handshake message
Client send --> Change Cipher Spec, Encrypted handshake message
Monitor configure as:
monitor abc.com__https_monitor {
defaults from https
recv " LB -Health Monitoring purposes"
send "GET /lbhealthPage.htm HTTP/1.1\r\nHost: abc.intranet\r\nConnection: close\r\n\r\n"
}
- What_Lies_Bene1This will be due to the SSL/TLS session being resumed. See here: http://en.wikipedia.org/wiki/Transport_Layer_SecurityResumed_TLS_handshake
- mishpan_70054Gr8 got it... thanks .. :-)
- What_Lies_Bene1You're welcome. I did actually try to find a way to prevent resumption on the BIG-IP for health monitors, but couldn't find anything.
- mishpan_70054Hi Steve
I have one more doubt about https default monitor, i can not find any field to define CA. So how lb verify the certificate present by server
-Does it go to /config/ssl/ssl.crt and check against each bundle ?
And what if the certificate provide by server if self singed.
monitorroot type https {
defaults from none
interval 5
up interval 0
timeout 16
time until up immediate
dest *:*
ignore down response disable
enable
is read only
partition Common
cert none
cipherlist "DEFAULT:+SHA:+3DES:+kEDH"
compatibility "enabled"
key none
password none
recv disable none
recv none
send "GET /\r\n"
username none
} - What_Lies_Bene1I don't think the server certificate is validated in any way (as it would be by a browser), that's not the point of the monitor.
hoolioThe monitor doesn't validate the server certificate to check if the service is available. If you want LTM to validate the server cert, you can configure this in a custom server SSL profile. The server cert will then be checked on load balanced connections to the pool.
Aaron
