Forum Discussion

Marcus_Hong_Yu's avatar
Marcus_Hong_Yu
Icon for Nimbostratus rankNimbostratus
Apr 03, 2017

Server SSL profile cert authentication behavior

I would like to know the relationship between following 3 items under Server authentication in Server SSL profile:

 

1> Server Certificate: ignore or require

 

2>Expire Certificate Response Control: ignore or drop

 

3> Untrusted Certificate Response Control: ignore or drop

 

Document says if I choose ignore under server certificate, the LTM will allow the connection anyway.

 

but whatif I choose "ignore' under Server Certificate, and "drop" under the other 2 items, how would the LTM behave when it receives an untrusted Cert from the backend server? will it still ignore the cert error and allow the SSL handshake done? or will it drop the connection attempt? Do those control options only take effect with then server certification option is set to be "require"?

 

thanks a lot

 

1 Reply

  • 1> Server Certificate: ignore or require

     

    Same as in the client ssl profile, requires/ignores the other device to certificate.

     

    2>Expire Certificate Response Control: ignore or drop

     

    If ignore, it will allow connections with expired certificate. If drop, will drop the connection.

     

    3> Untrusted Certificate Response Control: ignore or drop

     

    Same as above, but in case the certificate was not signed by a trusted CA.

     

    If you select ignore for server certificate, does not matter if the certificate has expired or is not trusted, the connection will not fail because certificate.