For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cynthia_18735's avatar
Cynthia_18735
Icon for Nimbostratus rankNimbostratus
Apr 17, 2008

Self-signed certificate in a Redirect

I have a virtual server setup to receive SSL traffic. The virtual server has a CLIENTSSL profile on it, with a self-signed SSL certificate. The virtual servers only purpose is to do a redirect. So, there is a rule in place that redirects.

 

 

So, for instance the user goes to the site as:

 

 

https:\\urlname.com (self-signed certificate here)

 

 

The rule redirects to:

 

 

https:\\www.urlname.com (Verisign certificat here)

 

 

In IE, this works just fine. The user doesn't get any pop-ups, etc. In Firefox, the user does get pop-ups, indicating there may be a security problem with the CA.

 

 

So, my question is - is there any way to get this to work on BigIP without the user receiving a security pop-up (short of getting a Verisign signed certificate).

 

 

config
design

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 17, 2008
    If the browser is configured to generate an alert when the requested hostname doesn't match the subject of the SSL certificate a site presents, then I could see that it would work in IE. However, with default settings in IE, you should see the mismatched certificate warning. By design of SSL certificates there isn't a way to configure a web server to prevent the client from 'seeing' that the cert isn't valid. You'd need to get a certificate which is valid for the host name that the client requests, or change the browser settings for each client.

     

     

    I'm not sure if it's feasible for you to do, but if you could have the clients make the first request to http://urlname.com (instead of https://urlname.com), you could avoid the cert mismatch issue.

     

     

    Aaron