Forum Discussion

Cirrostratus

Apr 23, 2020

Solved

Server Side SSL profile not match with Client side SSL profile?

HI, I have two queries here, 1, I have Client side and server side SSL profile, but Client side it is xxx.com(External CA) and server side it is yyy.com (self sign cert)and using respect...

Mayur_Sutare
Apr 23, 2020
Hi,

Normally client SSL profile is used to build SSL channel between client and F5 VS. So certificate and key uploaded under client ssl should be specific to the domain/site to which the profile is applied. e.g. in your case, xxx.com. If this certificate expires or wrong certificate is mapped, then client will start getting warning related to certificates. Server SSL profile enables secure connection between F5 and backend web server. The certificate settings under server SSL is optional. Default is set to none unless you need mutual authentication with the pool members. Once you configure SSL server on VS, F5 act as SSL client.

Coming to your second query,

There are few settings related to Server Authentication under Server SSL profile

One of the setting under this tab is - Server Certificate - this implies how the system handles server certificates. Default setting is set to 'ignore'. With this, F5 ignores certificate from the backend server, completes SSL handshake and turns off Server Authentication. You should be able to see certificate expiration logs under /var/log/ltm.

I would recommend you to go through below articles to get more clarity and options available under client and server SSL profiles.

https://support.f5.com/csp/article/K14806
https://support.f5.com/csp/article/K14783

Hope it helps!
Mayur

Mayur_Sutare

MVP

Apr 23, 2020

Hi,

Normally client SSL profile is used to build SSL channel between client and F5 VS. So certificate and key uploaded under client ssl should be specific to the domain/site to which the profile is applied. e.g. in your case, xxx.com. If this certificate expires or wrong certificate is mapped, then client will start getting warning related to certificates. Server SSL profile enables secure connection between F5 and backend web server. The certificate settings under server SSL is optional. Default is set to none unless you need mutual authentication with the pool members. Once you configure SSL server on VS, F5 act as SSL client.

Coming to your second query,

There are few settings related to Server Authentication under Server SSL profile

One of the setting under this tab is - Server Certificate - this implies how the system handles server certificates. Default setting is set to 'ignore'. With this, F5 ignores certificate from the backend server, completes SSL handshake and turns off Server Authentication. You should be able to see certificate expiration logs under /var/log/ltm.

I would recommend you to go through below articles to get more clarity and options available under client and server SSL profiles.

https://support.f5.com/csp/article/K14806

https://support.f5.com/csp/article/K14783

Hope it helps!

Mayur

Forum Discussion

Server Side SSL profile not match with Client side SSL profile?

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Server Profile SNI

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Update your DevCentral user profile

DoS Profiles

Client vs Server SSL profile