For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ask_me_anytime_'s avatar
ask_me_anytime_
Icon for Nimbostratus rankNimbostratus
Apr 15, 2010

ServerSSL - SERVERSSL_HANDSHAKE not triggered on certificate check failiure ??

Hello,   during serverSSL handshake, i'm trying to log messages when pool member server ssl certificate is invalid (expired certificate ) and BIGIP rejects it.   In the serverssl profile, i set...
application delivery
dev
devops
iRules
ask_me_anytime_'s avatar
ask_me_anytime_
Icon for Nimbostratus rankNimbostratus
Apr 16, 2010
hi,

 

 

I did a simpler test to see how SERVERSSL_HANDSHAKE is triggered when I serverssl profile is set to cert mode ignore..

 

 

When the serverssl profile cert mode is require, BIGIP rejects the expired cert and the SERVERSSL_HANDSHAKE is not triggered.

 

 

When I change the serverssl profile cert mode to ignore, BIGIP doesn't reject the expired certificate , but the certificate status shows "ok" in the log.

 

I don't understand here why the SSL::verify_result returns the cert is OK although the cert is expired during the SERVERSSL_HANDSHAKE event.

 

 

when SERVERSSL_HANDSHAKE {

 

set cert_status [X509::verify_cert_error_string [SSL::verify_result]]

 

log local0. "$cert_status"

 

}

 

 

This is the log I get :

 

 

Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb

 

: ok

 

Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb

 

: ok

 

Apr 15 09:10:40 local/tmm info tmm[32054]: Rule bbbbb

 

: ok