For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DH's avatar
DH
Icon for Nimbostratus rankNimbostratus
Jan 21, 2020

HTTPS Monitor Questions

How is certificate verification done? Will monitor fail if server has invalid certificate?   I am trying to setup a HTTPS Monitor for a website. In Postman I have tested the the 'GET" as follows ...
application delivery
BIG-IP
LTM
Rodrigo_Albuque's avatar
Rodrigo_Albuque
Icon for Cirrocumulus rankCirrocumulus
Jan 21, 2020

Hi DH

HTTPS Monitor allows you to establish a TLS connection with back-end server.

By default, no certificate verification is done on BIG-IP so basically if TLS handshake works fine and the receive string is what we configured as expected response, monitor should be marked as UP.

If you want BIG-IP to verify server's certificate then you can attach a Server SSL profile to your HTTPS monitor and then on Server Authentication, change Server Certificate to Require and add a file with your trusted CAs (who will verify server’s certificate identity) to Trusted Certificate Authorities.

Trusted Certificate Authorities is a single certificate file (*.crt) with one Root CA or concatenated file with 2 or more Root CAs to confirm server certificate (seen in server-side Certificate message) is trusted by BIG-IP.

Notice that BIG-IP has a pre-defined bundle (ca-bundle.crt) which contains a list of well-known trusted Root CAs similar to the ones in browsers like Firefox:

root@(v13)(cfg-sync In Sync)(Peer Time Out of Sync)(/Common)(tmos)# modify ltm profile server-ssl myserverssl2 ca-file ca?
Configuration Items:
 ca-bundle.crt

If you need to do client authentication, i.e. Server to authenticate BIG-IP as a client, you can additionally add a Certificate and Key to Client Certificate Constrained Delegation section.

Hope that's clear enough.

Rodrigo