Forum Discussion

danA's avatar
danA
Icon for Altostratus rankAltostratus
Aug 31, 2022

SSL certificate validation for "virtual" command or "LB::reselect virtual"

If the "virtual <virtual name>" or "LB::reselect virtual <virtual name>" commands are used, my understanding is that there needs to be a client SSL profile on the destination virtual if there are any...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 01, 2022

Can you elaborate? Under normal conditions there would not be a client SSL profile applied to the internal target virtual server. The "virtual" command is the "VIP target" function to pass traffic between VIPs on the same box. The target VIP is typically of type "internal" (but doesn't have to be), and would not be performing any decryption (that happens at the external VIP).

  • danA's avatar
    danA
    Icon for Altostratus rankAltostratus
    Sep 01, 2022

    In this situation, there is an iRule on the target VIP which has an HTTP_REQUEST event defined. Per https://support.f5.com/csp/article/K95905533, it needs (and has) a client SSL profile. I'm trying to understand how the cert attached to the client SSL profile is (or is not) validated.

     

Related Content