Forum Discussion
AltostratusLTM - Peer cert verify error - What is the Server IP
Running a forward proxy with SSLo and I'm trying to find a more elegant way of hunting down the server my clients are going to when I see entries like this in /var/log/ltm log
Sep 18 08:16:46 BIGIP00 warning tmm2[22922]: 01260006:4: Peer cert verify error: self signed certificate in certificate chain (depth 1; cert /CN=TrustedSource_CA/O=SCC/C=US)
This specific warning entry happens so frequently that it is a large noise source that I want to get rid of by identifying the clients trying to go to whatever this is but the logs are not helpful in identifying the server IP that is generating this entry. Since this specific CN "TrustedSource_CA" happens frequently enough I can run a tcpdump/ssldump on the external interface of the BIG-IP to look for this specific certificate and the corresponding server side connection.
I haven't seen a way to turn on a level of logging that would assist me in determining the server IP address in question and looking for a better way to turn on logging that would capture the server IP address when a warning like this is produced at a low frequency.
youssef1Cumulonimbus
Hi,
Did you see this kb:
https://support.f5.com/csp/article/K66643540
This message occurs when one of the following conditions are met:
- You have a BIG-IP systems in a high availability (HA) configuration that is unable to verify a remote BIG-IP system's device trust SSL certificate.
- You have configured a Client SSL profile to require client certificate authentication and the BIG-IP system is unable to verify the client's SSL certificate.
SSL certificate verification may fail for a variety of reasons. Two popular reasons include:
- The received SSL certificate has not been signed by a recognized CA.
- The received SSL certificate validity period has expired.
My question is did you perform client auth (cert)?
regards
Tabberyoussef,
I did use that kb but forgot to mention in my original post.
We are not performing client auth but on server SSL we are validating server SSL certificates against our Trusted CA list. The F5 is operating properly in dropping these certificates so that is no my problem. I'm trying to figure out what Server is responding with the bad certificate so I can back trace through either F5 logs or my Firewall logs to determine the clients that are reaching out to these misconfigured Servers.
Thank you for your advice.
- youssef1
Hi,
can you perform an ssldump between backend server and F5?
https://support.f5.com/csp/article/K10209
regards
- Tabber
So after some digging I do not think what I need is possible currently. My initial thought was to do this via an iRule so I was looking at properties that would allow me to look at the Server Side SSL certificate, since I'm doing a L3 Outbound SSLo. This lead me to look at the SSL properties https://clouddocs.f5.com/api/irules/SSL__cert.html but unfortunately documentation says it would error for server side context. This means I wouldn't be able to use the event https://clouddocs.f5.com/api/irules/SERVERSSL_SERVERCERT.html; not sure if I could use X509 instead of SSL::cert https://clouddocs.f5.com/api/irules/X509.html going to try this method soon.