cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Does server ssl profile check a web-server certificate validity ?

Erik88
Nimbostratus
Nimbostratus

Hi 🙂

 

I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate.

I have a full proxy, client side works properly and server side also with default serverssl profile.

But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure").

In server ssl profile we configure this options:

 

  • Server Certificate: Require
  • Untrusted Certificate Response Control: Drop

 

The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle.

We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also.

How we can accomplish this goal ?

 

Thanks,

Eric

7 REPLIES 7

NAG
Cirrostratus
Cirrostratus

Hi Eric,

 

It depends on what type SSL certificates your web servers are using.

 

1) if certificates are signed by a public CA, then use following option to validate the certificates.

Trusted Certificate Authorities:: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.

 

2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as Trusted Certificate Authority.

 

Hope this helps,

Nag

 

Erik88
Nimbostratus
Nimbostratus

Hi NAG,

 

Thanks for the answer, did it as you say but also fails.

 

Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.

 

I did some test in this bundle certificate file, including different certificates:

1- Root + Intermediate + Server CA certificates

2- Only root file

3- Only Root + Intermediate CA certificates

4- Only Server CA certificates

 

All four previous files failed when try to reach web-server.

Doing a pcap i find this:

  • Level: Fatal (2)
  • Description: Handshake Failure (40)

 

Thanks 🙂

consul_2019
Cirrus
Cirrus

Silly question, did you check the certificate sent back by server in your capture? Alex.

Erik88
Nimbostratus
Nimbostratus

Hi Alex,

 

I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.

Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.

 

Thanks

consul_2019
Cirrus
Cirrus

Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.

I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. 🙂

Thanks,

Alex

consul_2019
Cirrus
Cirrus

P.s: I meant do a tcpdump on BIG-IP on server-side facing vlan and then open in Wireshark... Oh if you are in prod, then you may want to do this out of hours or on a change...

Erik88
Nimbostratus
Nimbostratus

Thanks to everybody 🙂

I take a tcpdump and i have to examine more carefully yet.

 

Regards