cancel
Showing results for 
Search instead for 
Did you mean: 

Server Side SSL profile not match with Client side SSL profile?

IRONMAN
Cirrostratus
Cirrostratus

HI,

 

I have two queries here,

 

1, I have Client side and server side SSL profile, but Client side it is xxx.com(External CA) and server side it is yyy.com (self sign cert)and using respective certificate for respective profile! server side profile is default ! but my http request goes with xxx.com? it is right process? how server side profile working ? i understood, F5 act as client for server-side ssl handshake!

 

2, Server side self sign certificate at Real server was expired, but it is working still, no error , but some times small issues coming? due to this cert expired, where we can see the error of cert expired?

 

 

 

1 ACCEPTED SOLUTION

Hi,

 

Normally client SSL profile is used to build SSL channel between client and F5 VS. So certificate and key uploaded under client ssl should be specific to the domain/site to which the profile is applied. e.g. in your case, xxx.com. If this certificate expires or wrong certificate is mapped, then client will start getting warning related to certificates. Server SSL profile enables secure connection between F5 and backend web server. The certificate settings under server SSL is optional. Default is set to none unless you need mutual authentication with the pool members. Once you configure SSL server on VS, F5 act as SSL client.

 

 

 

Coming to your second query,

 

There are few settings related to Server Authentication under Server SSL profile

 

One of the setting under this tab is - Server Certificate - this implies how the system handles server certificates. Default setting is set to 'ignore'. With this, F5 ignores certificate from the backend server, completes SSL handshake and turns off Server Authentication. You should be able to see certificate expiration logs under /var/log/ltm.

 

I would recommend you to go through below articles to get more clarity and options available under client and server SSL profiles.

 

https://support.f5.com/csp/article/K14806

https://support.f5.com/csp/article/K14783

 

Hope it helps!

Mayur

View solution in original post

4 REPLIES 4

Hi,

 

Normally client SSL profile is used to build SSL channel between client and F5 VS. So certificate and key uploaded under client ssl should be specific to the domain/site to which the profile is applied. e.g. in your case, xxx.com. If this certificate expires or wrong certificate is mapped, then client will start getting warning related to certificates. Server SSL profile enables secure connection between F5 and backend web server. The certificate settings under server SSL is optional. Default is set to none unless you need mutual authentication with the pool members. Once you configure SSL server on VS, F5 act as SSL client.

 

 

 

Coming to your second query,

 

There are few settings related to Server Authentication under Server SSL profile

 

One of the setting under this tab is - Server Certificate - this implies how the system handles server certificates. Default setting is set to 'ignore'. With this, F5 ignores certificate from the backend server, completes SSL handshake and turns off Server Authentication. You should be able to see certificate expiration logs under /var/log/ltm.

 

I would recommend you to go through below articles to get more clarity and options available under client and server SSL profiles.

 

https://support.f5.com/csp/article/K14806

https://support.f5.com/csp/article/K14783

 

Hope it helps!

Mayur

IRONMAN
Cirrostratus
Cirrostratus

Thanks Mayur,

 

So here my server side is yyy.com , So there will be error, but it was ignored due to this Server Certificate settings.

Will encryption happened here, F5 to server?

Any performance delay?

any better solution here?

 

 

Yes there will be SSL session between F5 and Server. There shouldn't be any performance delay due to this. Normally server certificate setting under server SSL is optional and default is set to none. If you need server authentication, you can import valid certificate for server SSL. These are optional settings that you can configure as per your requirements. Normally client ssl certificate is important as it manages SSL handshake between untrust client and F5 and maintains secure channel for communication.

IRONMAN
Cirrostratus
Cirrostratus

Thanks Mayur!!!