cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

LTM VIP FQDN Node CURL issue

any
Nimbostratus
Nimbostratus

Hi all

 

can someone please provide some guidance as i have two VIP's both working but one present incorrect cert when i do curl to VIP and correct cert when i do curl to pool member directly (with setting source and without setting source address SNAT in curl)

i also set correct header via --header option in curl but when i point it to VIP on same LTM it present invalid cert and when i point it to FQDN pool member of same VIP works and present correct cert, any idea? thanks

regards

f

6 REPLIES 6

Simon_Blakely
F5 Employee
F5 Employee

If you connect to the virtual, the certificate presented should be the certificate specified in the client-ssl profile.

 

Is that the correct certificate?

Do you have multiple client-ssl profiles assigned to the virtual?

any
Nimbostratus
Nimbostratus

Thanks, so client ssl is presenting cert but ssh handshake is failing straight after server hello is done ... the trust store for server has different cert then the one it presenting so its failing and wireshark clearly shows wrong cert presenting so ssh handshake terminates

any
Nimbostratus
Nimbostratus

curl is successful because it ignore incorrect cert but browser connectivity is failing when server side cert check is enable and working when serverside cert check is disabled.....dont have multiple client ssl profile one profile only... somehow when i do curl to vip request lands on correct host but then doesnt get redirected to correct resource and cert presented is wrong ... but when i do same curl to pool member which is fqdn then i see ssl completing when accessed via browser and correct cert is presented too

I am struggling to understand the problem.

 

If curl -k to the vip works but the browser fails the TLS/SSL negotiation on the client-side after the ServerHello, then the issue is probably with the client-ssl profile and the Intermediate certificate chain between the certificate and the Root certificate.

 

Can you provide the output of

curl -vk https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP address>

which shows the certificate and the intermediate certificates?

Thanks and sure i will provide details

problem is browser is relevant or depandant on client ssl profile which is working fine as correct cert is presented...curl is intiated from ltm itself to and to vip and fqdn pool member of vip...the url from browser is nlt working so when i did ran tcpdump and analyzed in wireshark reset was being sent by ltm to client because ssl handshake was failing after server hello done....only thing different was cert presented by server was different to the one we had in trust store of server ssl profile..server ssl profille had vendor c cert and cert presented was different

any
Nimbostratus
Nimbostratus

client is internal so we presenting internal cert to him but server is not requesting amy cert from us as we dont have mutual auth...server is only presenting cert....we have uploaded signer in server profile trust sfore so when cert is presented its compared against one in trust store for authentication