I would like to know if a self created ssl server profile can check if some web-servers pool have valid certificate.
I have a full proxy, client side works properly and server side also with default serverssl profile.
But now we would like to create our own server ssl profile to validate web-servers certificates (if it's ok or if it's "insecure").
In server ssl profile we configure this options:
The last option is "Trusted Certificate Authorities" that we have to specify CA of endpoint or a chain/bundle.
We tried to add all CA (root+intermediate+server) in a bundle but fails, also try to put (root+intermediate) in the server profile but fails again. Finally try to put only "server" CA in the server profile but fails also.
How we can accomplish this goal ?
It depends on what type SSL certificates your web servers are using.
1) if certificates are signed by a public CA, then use following option to validate the certificates.
Trusted Certificate Authorities:: Uses the ca-bundle.crt file, which contains all well-known public certificate authority (CA) certificates, for server-side processing.
2) if certificates are signed by a Internal CA, then import CA bundle for your internal CA including all chain certs and use it as Trusted Certificate Authority.
Hope this helps,
Thanks for the answer, did it as you say but also fails.
Our certificate ans site are internal so in "Trusted Certificate Authorithy" box of server ssl profile i attach my bundle.
I did some test in this bundle certificate file, including different certificates:
1- Root + Intermediate + Server CA certificates
2- Only root file
3- Only Root + Intermediate CA certificates
4- Only Server CA certificates
All four previous files failed when try to reach web-server.
Doing a pcap i find this:
I don't check it, I supposed that web-server certificate is correct because if i access directly without passing through F5 it launch properly and certificate is valid and secure.
Maybe is something with cipher/options or something like that ? The rest options of serverssl is configured as default, except those i told you.
Hi, I follow your reasoning - it would be logical to assume that if you can access the server directly from your browser, cert should be ok. Yes, that's true from browser's perspective.
I would suggest take a capture on server side and check in Wireshark that you are definitely getting correct certificate back, and that you are definitely getting a certificate back (and that it's not empty for example). Bypassing F5 might seem like a good idea, but it is not a recommended way to troubleshoot these kinds of issues. 🙂