Forum Discussion
ask_me_anytime_
Nimbostratus
NimbostratusServerSSL - SERVERSSL_HANDSHAKE not triggered on certificate check failiure ??
Hello,
during serverSSL handshake, i'm trying to log messages when pool member server ssl certificate is invalid (expired certificate ) and BIGIP rejects it.
In the serverssl profile, i set "Server Certificate" to "require".
When the pool member's ssl presents a expired certificate , the BIGIP rejects it, and the access is denied.
I want to log when the BIGIP rejects the certificate but my irule doesn't log it.
is there any wrong with with the below irule , please help.
when SERVERSSL_HANDSHAKE {
set cert_status [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "$cert_status"
if { $cert_status eq "ok" } { log local0. "Cert verify result - OK"
} else {
log local0. "Certificate INVALID"
}
}
----
it seems if the handshake fails, its not going to trigger.
please help,
hoolioCirrostratus
Hi,
SERVERSSL_HANDSHAKE is triggered when an SSL handshake is completed. If the server SSL profile is set to require a cert but it's not validated, I don't think the event will be triggered as the handshake hasn't completed. If you change the server SSL profile to not require a cert, do you see the event triggered? If so, you could try validating the server cert in the iRule and reject the connection for invalid certs.
Aaron
ask_me_anytime_hi,
when I set the serverssl profile's "server certificate" item to "Ignore", the event is not triggered in my lab.
maybe, i should try to validate the server cert in iRule and reject the connection for invalid certs, you suggested..
I will try to work on that..
Have you ever written a similar irule, before( do the cert check,validation in irule) ? if ,so please share..just to avoid reinventing the wheel..
thanks,- hoolioIn a quick test on a 10.1.0 test unit, when I set the cert mode to require and the server sends an expired cert, the SERVERSSL_HANDSHAKE event isn't triggered.
When I change the server SSL profile's cert mode to ignore, then no cert count is returned with [SSL::cert count]. So I'm not sure this is possible.when SERVERSSL_HANDSHAKE { log local0. "Connected to [IP::server_addr]:[TCP::server_port]" log local0. "Cert count: [SSL::cert count]"
: Connected to 10.41.0.23:443
: Cert count: 0
Anyone else have ideas? If not, maybe you could open a case with F5 Support and ask about this. If you do and get an answer, could you reply back here for future reference?
Thanks, Aaron - ask_me_anytime_hi,
I did a simpler test to see how SERVERSSL_HANDSHAKE is triggered when I serverssl profile is set to cert mode ignore..
When the serverssl profile cert mode is require, BIGIP rejects the expired cert and the SERVERSSL_HANDSHAKE is not triggered.
When I change the serverssl profile cert mode to ignore, BIGIP doesn't reject the expired certificate , but the certificate status shows "ok" in the log.
I don't understand here why the SSL::verify_result returns the cert is OK although the cert is expired during the SERVERSSL_HANDSHAKE event.
when SERVERSSL_HANDSHAKE {
set cert_status [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "$cert_status"
}
This is the log I get :
Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb
: ok
Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb
: ok
Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb
: ok - hoolioLTM doesn't seem to parse the server cert at all when the server SSL profile option for certs is set to ignore. So I guess the value that the SSL verify commands return aren't valid. I'm not sure why it would return anything though. You could check with F5 Support on this.
Aaron