Forum Discussion
NimbostratusSSL change in version 11.2.1?
Last night I replaced a version 9.4.8 2400 with an HA pair of 3600s, ASM is licensed but not in use yet on the 3600s. I found this morning that a couple of the sites that I terminate SSL on the BIGip for are not willing to connect to web servers that have expired certs on them. Once we started terminating SSL on the BigIP for these sites, we didn't worry about the certs on the servers anymore.... version 9.4.8 didn't seem to have a problem with it, but apparently version 11.2.1 does. I exported the cert and key for my web server team to install on the web server but I wanted to check and see if I was missing something here....
- Kevin_Stewart
Employee
Do you mean to say that you're re-encrypting to servers that have expired certificates? 
Mark_CloutierYes, and that seemed to work fine under version 9.4.8, but the version 11.2.1 bigip logs the following
warning tmm1 tmm1[7477] 01260017 Connection attempt to insecure SSL server (see RFC5746) aborted: 172.28.131.209:443
- Kevin_StewartAhh, that's because 11.2 now supports, and defaults to strict secure renegotiation in the server SSL profile. It's likely that your servers don't support secure renegotiation.
From the BIG-IP shell, run the following:
openssl s_client -connect :443
The response will either contain "Secure Renegotiation IS supported", "Secure Renegotiation IS NOT supported", or nothing. If it appears that secure renegotiation is NOT supported, you can set the Secure Renegotiation setting in the server SSL profile to Request and give that a shot. - Kevin_StewartSorry, the full openssl command was stripped. it should be:
openssl s_client -connect IP-OF-SERVER:443 - Mark_Cloutier
I figured it was something like that and I had gone to the ssl server profile to look at what options were available to me... Based on what I read in the help screen, I had changed Secure Renegotiation to Request as you suggested. Unfortunately that made no difference in the behavior... I checked with the openssl command you provided and sure enough, Secure Renegotiaion is not supported..... If there's not a setting in the ssl server profile to get it to ignore the expired certs, looks like we may go with a self signed cert across the board on our web serves and just import that into the BigiP. Does that make sense? Do you see other options, other than just maintaining the full certs on both the BigIP and the web server?
- Mark_Cloutier
I must have tested before updating the virtual server to make the change effective, because now it works :) and I have verified that the certs on the web servers were not updated yet. Thanks for the help
