Forum Discussion

Steve_Scott_873's avatar
Steve_Scott_873
Historic F5 Account
Oct 20, 2008

ServerSSL - Logging on certificate check failiure

Hi all,

 

 

Brief overview of the problem. We use F5's primarily for SSL Offload. In one specific traffic flow, we connect to remote HTTPS servers. These are maintained by external people, all of which *should* have an in date certificate signed by the appropriate CA.

 

 

All well and good, and so far nice and simple. While we are good at keeping our certs in date, the same cannot be said for the externals. And you can guess who does the legwork when "It's not working".

 

 

We already have some reasonable alerting infrastructure inplace (Inhouse built, crafted with finest gaffa tape and sticky back plastic, feeding off SNMP Traps), so we'd like to be able to generate some sort of SNMP alert when we have a SSL Server SSL connection fail, preferable with something useful like "Unsigned cert" or "Cert has expired".

 

 

I presume iRules will be the most sensible way of doing this, however I can only find the following event for ServerSSL

 

SERVERSSL_HANDSHAKE - Triggered when a server-side SSL handshake is completed

 

 

Obviously, if the handshake fails, its not going to trigger.

 

 

Has anybody come up with any other way of triggering an event under these conditions? I couldn't find much when searching. Perhaps I'm just blind.

 

 

Thanks for your help
application delivery
dev
devops
iRules
  • Steve_Scott_873's avatar
    Steve_Scott_873
    Historic F5 Account
    Oct 22, 2008
    I've had another go using SSL:verify_result

     

    when SERVERSSL_HANDSHAKE { 
 set cert [X509::verify_cert_error_string [SSL::verify_result]]  
 log local0.info "Certificate verify status:"   
 log local0.info $cert 
 }

     

     

    I then set Server Certificate to IGNORE (As SERVERSSL_HANDSHAKE events won't fire unless the validation is sucessful, and instead i want to do with validation with the iRule). When i do this, i get the following

     

     

    Oct 22 10:22:40 tmm tmm[1672]: Rule IPP_SSLError_Test : Certificate verify status: 
 Oct 22 10:22:40 tmm tmm[1672]: Rule IPP_SSLError_Test : ok

     

     

    However, with this specific server the SSL certificate is invalid and gets rejected when Server Certificate is set to REQUIRE.

     

    Surely if the certificate is being rejected when REQUIRE, then i shouldn't be getting an "Ok" response code when i'm asking the F5 what the validation status is?

     

     

    Any insight would be appreciated.