Forum Discussion
Rodrigo_AlbuqueThanks for your response. I should've included how we create our VIPs. This is a standard VIP that we configure:
1. We configure an HTTP and HTTPS VIP. The HTTP VIP has a policy to redirect to HTTPS
2. We configure the HTTPS VIP as a Standard VIP with a ClientSide HTTP Profile, Clientside SSL Profile and ServerSide SSL Profile. We use "Auto Map" and all other settings are default.
3. The Clientside SSL Profile has a custom profile with the "clientssl" set for the parent profile, Trusted certificate with a custom cipher group. The ServerSide SSL Profile has a custom profile with the "serverssl" set for the parent profile, "Default" for the cipher suite and "Trusted Certificate Authorities" set to "ca-bundle.crt". We do not add any of our self-signed certs to the Big-IPs "Trusted Certificate Authorities".
4. On the "Resources" tab, we have the pool (configured to use the SSL port on the pool member), Default persistence Profile is "cookie", fallback persistence Profile is "Source_Addr"
So given our setup, are we still secure?
I did not know about item #3 you listed. I will look into implementing this in a test VIP to see how it works and then go from there. What will this actually do for us that is not happening today?
As mentioned in my previous answer, it is important to setup the https monitoring properly.
It might happen, that your (bigd) https monitor marks the poolmember as up while the (tmm) traffic breaks.
This comes by the default monitoring behaviour (handled by bigd) which is not validating the server (poolmember) certificates, even if you assign a specific serverssl profile.
Please make sure to enable the In-TMM monitoring for proper server cert validation.
- Danny_ArroyoJul 14, 2022Cirrus
Thanks for this information Stephan. I was not aware of this either. I will read through the link you provided and get this implemented.
However, based on the standard configuration of our VIPs on the BigIP (that I listed in my last reply), are we still doing end to end encryption? I am concerned because currently, we dont add the self-signed certificate to the BIG-IP's "Trusted Certificate Authorities". And from what Rodrigo_Albuque mentioned it means that the self signed cert is not trusted. Therefore is our traffic from the BigIP to our Pool members secure?
- Jul 14, 2022
I guess, you don´t have activated the setting of Server Authentication : Server Certificate == require in your serverssl profile. So the ca-bundle.crt in the Trusted Certificate Authorities setting will be simply ignored.
It would be required to add the self signed server certificates to a certificate bundle and use it at Trusted Certificate Authorities. If you now modify Server Authentication : Server Certificate from "ignore" (default) to "require" you should be safe.