SNI for serverssl profile
Hi, I have situation like that: VS with two clientssl profiles https1.test.com - SNI set to https1.test.com, Default SSL Profile for SNI checked https2.test.com- SNI set to https2.test.com and two serverssl profiles server1.test.com - SNI set to server1.test.com, Default SSL Profile for SNI checked server2.test.com - SNI set to server2.test.com Server with two virtual hosts server1.test.com - with certificate for server1.test.com server2.test.com - with certificate for server2.test.com Is there any way to configure VS so when request comes with SNI https1.test.com serverssl profile with SNI server1.test.com and when request comes with SNI https2.test.com serverssl profile with SNI server2.test.com is used? Can it be somehow done in iRule? Maybe it's possible to use one serverssl profile and then change SNI send to server depending on SNI received from client? Any easier way to resolve this? A bit separate question - how BIG-IP verifies that presented server certificate is signed by CAs trusted by BIG-IP? By setting in serverssl Server Authentication: Server Certificate: require Authenticate Name: server FQDN (or rather content of CN filed from certificate) Trusted Certificate Authorities: chain file with Root CA and all Intermediates Seems to be working but I am not sure if this is correct way? Not sure why when chain file contains only Root CA cert and server cert is signed by Intermediate two levels above (Root CA -> Intermediate 1 -> Intermediate 2 -> server cert) connection is still working. Piotr
Server SSL profile Server Authentication settings don't work?
im trying to configure the server ssl profile to accept certificates which it normally wouldn't to be able to provide better feedback to the users why the connection would fail. im aware of the risk. for this i set the Server Certificate on require and the Expire Certificate Response Control and Untrusted Certificate Response Control both on ignore. still the connection fails with these messages: Jun 22 13:09:04 bigip-01 debug tmm1[17068]: 01260006:7: Peer cert verify error: unable to verify the first certificate (depth 0; cert /edit) Jun 22 13:09:04 bigip-01 debug tmm1[17068]: 01260009:7: Connection error: ssl_shim_vfycerterr:4084: unable to verify the first certificate (48) i can also set Server Certificate to ignore and then all server certificates are accepted, only then i can't use [SSL::verify_result] to determine the status, it is always 0 (OK). anyone tried this and got some more insights on how to make it work.
Connection terminates/closes with Server SSL Profile --> Server Authentication --> Server Certificate parameter set to require
I have one F5 LTM and one server in its pool. Connection is encrypted end-to-end. Client to F5 is 443. And F5 LTM to server is 443. F5, subsequently, has Client SSL Profile and Server SSL Profile enabled. For reference to Server SSL Profile, please see the Overview of the Server SSL profile article. I observed that F5 LTM was not validating the server certificate. I can choose any server certificate on server-side, no problem. I ran a Wireshark trace on the server to confirm and observed, yes, F5 accepts the server certificate. Was able to confirm F5 is configured with default Server SSL Profile settings, which means Server Certificate parameter (under Server Authentication section), is set to Ignore, since that is the default. (An aside to the main topic is why would Ignore be the default or even an option? Why wouldn't you want to close a security loophole, however low risk it must be? What is a legitimate purpose for ignoring server certificate validation, aside from things like dev work, testing, and troubleshooting?) Set the Server Certificate to Require and website could not load. HTTP 500 error. Connection was terminated reset/closed). From the Wireshark trace on the server side, it appears the SSL handshake completes but then the connection closes, e.g. [FIN, ACK]. Not precisely sure why this one configuration change causes the connection to terminate. To my recollection, Authenticate Name is currently blank. Of course, if this problem can be solved, that parameter will be set to the server's FQDN. I'd be most grateful for any help on what I may be missing or doing incorrectly. Thank you for your time.
SNI for serverssl profile
Hi, I have situation like that: VS with two clientssl profiles https1.test.com - SNI set to https1.test.com, Default SSL Profile for SNI checked https2.test.com- SNI set to https2.test.com and two serverssl profiles server1.test.com - SNI set to server1.test.com, Default SSL Profile for SNI checked server2.test.com - SNI set to server2.test.com Server with two virtual hosts server1.test.com - with certificate for server1.test.com server2.test.com - with certificate for server2.test.com Is there any way to configure VS so when request comes with SNI https1.test.com serverssl profile with SNI server1.test.com and when request comes with SNI https2.test.com serverssl profile with SNI server2.test.com is used? Can it be somehow done in iRule? Maybe it's possible to use one serverssl profile and then change SNI send to server depending on SNI received from client? Any easier way to resolve this? A bit separate question - how BIG-IP verifies that presented server certificate is signed by CAs trusted by BIG-IP? By setting in serverssl Server Authentication: Server Certificate: require Authenticate Name: server FQDN (or rather content of CN filed from certificate) Trusted Certificate Authorities: chain file with Root CA and all Intermediates Seems to be working but I am not sure if this is correct way? Not sure why when chain file contains only Root CA cert and server cert is signed by Intermediate two levels above (Root CA -> Intermediate 1 -> Intermediate 2 -> server cert) connection is still working. Piotr