For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DH's avatar
DH
Icon for Nimbostratus rankNimbostratus
Jan 21, 2020

HTTPS Monitor Questions

How is certificate verification done? Will monitor fail if server has invalid certificate?

 

I am trying to setup a HTTPS Monitor for a website. In Postman I have tested the the 'GET" as follows 'https://XXXXXXX.com/YYYYYYYYYY/ZZZZZZ HTTP/1.1\r\nHost:xxxxxxxxxx.com\r\nConnection: Close\r\n\r\n' It successfully returns a Status of 200 OK

 

I have created the following Monitor in F5. This is a Production site so want to double-check accuracy for monitor before applying.

 

Send String - https://xxxxxxxx.com/yyyyyyyy/zzzzzz HTTP/1.1\r\nHost: xxxxxxxxxx.com\r\nConnection: Close\r\n\r\n

 

Receive String - 200 OK

 

Should the above Monitor work or should I change something in it before testing further on F5?

 

Any comments would be appreciated.

application delivery
BIG-IP
LTM

1 Reply

  • Rodrigo_Albuque's avatar
    Rodrigo_Albuque
    Icon for Cirrocumulus rankCirrocumulus
    Jan 21, 2020

    Hi DH

    HTTPS Monitor allows you to establish a TLS connection with back-end server.

    By default, no certificate verification is done on BIG-IP so basically if TLS handshake works fine and the receive string is what we configured as expected response, monitor should be marked as UP.

    If you want BIG-IP to verify server's certificate then you can attach a Server SSL profile to your HTTPS monitor and then on Server Authentication, change Server Certificate to Require and add a file with your trusted CAs (who will verify server’s certificate identity) to Trusted Certificate Authorities.

    Trusted Certificate Authorities is a single certificate file (*.crt) with one Root CA or concatenated file with 2 or more Root CAs to confirm server certificate (seen in server-side Certificate message) is trusted by BIG-IP.

    Notice that BIG-IP has a pre-defined bundle (ca-bundle.crt) which contains a list of well-known trusted Root CAs similar to the ones in browsers like Firefox:

    root@(v13)(cfg-sync In Sync)(Peer Time Out of Sync)(/Common)(tmos)# modify ltm profile server-ssl myserverssl2 ca-file ca?
Configuration Items:
 ca-bundle.crt

    If you need to do client authentication, i.e. Server to authenticate BIG-IP as a client, you can additionally add a Certificate and Key to Client Certificate Constrained Delegation section.

    Hope that's clear enough.

    Rodrigo