Forum Discussion

boneyard_11131's avatar
boneyard_11131
Icon for Nimbostratus rankNimbostratus
Jun 22, 2015

Server SSL profile Server Authentication settings don't work?

im trying to configure the server ssl profile to accept certificates which it normally wouldn't to be able to provide better feedback to the users why the connection would fail. im aware of the risk.

for this i set the Server Certificate on require and the Expire Certificate Response Control and Untrusted Certificate Response Control both on ignore.

still the connection fails with these messages:

Jun 22 13:09:04 bigip-01 debug tmm1[17068]: 01260006:7: Peer cert verify error: unable to verify the first certificate (depth 0; cert /edit)
Jun 22 13:09:04 bigip-01 debug tmm1[17068]: 01260009:7: Connection error: ssl_shim_vfycerterr:4084: unable to verify the first certificate (48)

i can also set Server Certificate to ignore and then all server certificates are accepted, only then i can't use [SSL::verify_result] to determine the status, it is always 0 (OK).

anyone tried this and got some more insights on how to make it work.

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    boneyard, i've never done this exactly as you've described, i.e. i've never used the Response Controls you mention. When i have used this entering in the FQDN into the Authenticate Name and specifying the Trusted certificate has worked. You don't specifically mention this but are you using Authenticate Name? I suspect the Trusted certificate field is made obselete by your use of the Response Control but perhaps you still have to specify something? N
  • sure, but specify what? the goal is to allow everything, so leaving that field empty should do that. the help function even warns you against that, when you don't use the Authenticate Name you allow access for everyone. i dont totally agree with that statement but i understand what they mean. just noticed this fields are added since 11.3, which means someone must have used them right :) if no one else chimes in ill have to open a support ticket, hopefully support is willing to look into this.
  • support is investigating, anyone else perhaps who has looked into is?
  • support came up with a bugID, hopefully an engineering hotfix can tell me if it is gonna work like i want.