Does server ssl profile check a web-server certificate validity ?

Erik88 · ‎24-Feb-2020

Hi 🙂

I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate.

I have a full proxy, client side works properly and server side also with default serverssl profile.

But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure").

In server ssl profile we configure this options:

Server Certificate: Require
Untrusted Certificate Response Control: Drop

The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle.

We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also.

How we can accomplish this goal ?

Thanks,

Eric

NAG · ‎24-Feb-2020

Hi Eric,

It depends on what type SSL certificates your web servers are using.

1) if certificates are signed by a public CA, then use following option to validate the certificates.

Trusted Certificate Authorities:: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.

2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as Trusted Certificate Authority.

Hope this helps,

Nag

Erik88 · ‎24-Feb-2020

Hi NAG,

Thanks for the answer, did it as you say but also fails.

Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.

I did some test in this bundle certificate file, including different certificates:

1- Root + Intermediate + Server CA certificates

2- Only root file

3- Only Root + Intermediate CA certificates

4- Only Server CA certificates

All four previous files failed when try to reach web-server.

Doing a pcap i find this:

Level: Fatal (2)
Description: Handshake Failure (40)

Thanks 🙂

consul_2019 · ‎24-Feb-2020

Silly question, did you check the certificate sent back by server in your capture? Alex.

Erik88 · ‎24-Feb-2020

Hi Alex,

I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.

Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.

Thanks

consul_2019 · ‎24-Feb-2020

Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.

I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. 🙂

Thanks,

Alex

consul_2019 · ‎24-Feb-2020

P.s: I meant do a tcpdump on BIG-IP on server-side facing vlan and then open in Wireshark... Oh if you are in prod, then you may want to do this out of hours or on a change...

Erik88 · ‎25-Feb-2020

Thanks to everybody 🙂

I take a tcpdump and i have to examine more carefully yet.

Regards

DevCentral

Does server ssl profile check a web-server certificate validity ?