Does server ssl profile check a web-server certificate validity ?

Question

Hi :)&nbsp;I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate.I have a full proxy, client side works properly and server side also with default serverssl profile.But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure").In server ssl profile we configure this options:&nbsp;Server Certificate: RequireUntrusted Certificate Response Control: Drop&nbsp;The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle.We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also.How we can accomplish this goal ?&nbsp;Thanks,Eric

nag · Answer

Hi Eric,&nbsp;It depends on what type SSL certificates your web servers are using.&nbsp;1) if certificates are signed by a public CA, then use following option to validate the certificates.   Trusted Certificate Authorities::  Uses the&nbsp;ca-bundle.crt&nbsp;file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.&nbsp;2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as  Trusted Certificate Authority. &nbsp;Hope this helps,Nag&nbsp;

erik88 · Answer

Hi NAG,&nbsp;Thanks for the answer, did it as you say but also fails.&nbsp;Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.&nbsp;I did some test in this bundle certificate file, including different certificates:1- Root + Intermediate + Server CA certificates2- Only root file3- Only Root + Intermediate CA certificates4- Only Server CA certificates&nbsp;All four previous files failed when try to reach web-server.Doing a pcap i find this:Level: Fatal (2)Description: Handshake Failure (40)&nbsp;Thanks :)

consul_2019 · Answer

Silly question, did you check the certificate sent back by server in your capture? Alex.

erik88 · Answer

Hi Alex,&nbsp;I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.&nbsp;Thanks

consul_2019 · Answer

Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.

I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. :)

Thanks,

Alex

Forum Discussion

Does server ssl profile check a web-server certificate validity ?

7 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

POC: Validate JWT with iRule

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

Validate Certificate Common Name and Revocation Status