For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Steve_Scott_873's avatar
Steve_Scott_873
Historic F5 Account
Oct 20, 2008

ServerSSL - Logging on certificate check failiure

Hi all,     Brief overview of the problem. We use F5's primarily for SSL Offload. In one specific traffic flow, we connect to remote HTTPS servers. These are maintained by external people, ...
application delivery
dev
devops
iRules
Steve_Scott_873's avatar
Steve_Scott_873
Historic F5 Account
Oct 22, 2008
I've had another go using SSL:verify_result

 

when SERVERSSL_HANDSHAKE { 
 set cert [X509::verify_cert_error_string [SSL::verify_result]]  
 log local0.info "Certificate verify status:"   
 log local0.info $cert 
 }

 

 

I then set Server Certificate to IGNORE (As SERVERSSL_HANDSHAKE events won't fire unless the validation is sucessful, and instead i want to do with validation with the iRule). When i do this, i get the following

 

 

Oct 22 10:22:40 tmm tmm[1672]: Rule IPP_SSLError_Test : Certificate verify status: 
 Oct 22 10:22:40 tmm tmm[1672]: Rule IPP_SSLError_Test : ok

 

 

However, with this specific server the SSL certificate is invalid and gets rejected when Server Certificate is set to REQUIRE.

 

Surely if the certificate is being rejected when REQUIRE, then i shouldn't be getting an "Ok" response code when i'm asking the F5 what the validation status is?

 

 

Any insight would be appreciated.