HTTP::responded based on test in SERVER_CONNECTED
Hi, I need to gracefully respond to HTTP request when setting Server SSL profile fails. Maybe I am wrong but first event that cen be used for: [PROFILE::exists serverssl] == 1 - check if profile is attached to VS SSL::profile $ssls - set specific profile based on some tests But if backend connection requires SSL but no profile is attached to VS or profile that is set via SSL::profile do not exists I would like to reject client connection by sending HTTP::response 500 Only way to cancel serverside processing I was able to figure out was setting selected pool member down via: LB::down pool $newpool member [LB::server addr] [LB::server port] After this command LB_FAILED is raised and I can use: HTTP::respond 500 content "Some message" Connection close event disable TCP::close return I am curious if this is right way to achieve my goal? Any simpler better or more robust ways? Piotr
Server SSL Profile - how to use selectively
Hi there, I have a situation and wonder to check here if one came across the same. I have a VIP listening on https with SSL Client profile configured with a valid SSL Certificate. This VIP divert traffic to several applications using iRules on clear text (http). Recently, I have a new request to incorporate a new application to the same VIP/iRules but new application requires encrypted traffic (https). I can enable the Server SSL on the VIP and make the new app happy but then it will break all the previous apps. Is there a way to select Server SSL Profile in the iRules but only if certain conditions met ( URI , headers etc. ) and rest of the traffic don't use Server SSL profile at all. LTM Version : 13.1.3 Any help or pointers are highly appreciated. Thank you, Muhammad
URI Rule in Rewrite profile disable Server SSL profile?
Hi, Setup: TMOS 12.1.2HF1 VS listening on port 80 Server SSL profile attached Rewrite profile settings: Rewrite Mode: URI Translation Parent Profile: rewrite Request Settings: Rewrite Headers Response Settings: Rewrite Headers, Rewrite Content URI Rule: Client: http://www.domainA.com/ Server: http://www.domainB.com/ Pool member set to port 443 Whith above settings SSL is disabled on backend - client HTTP request on port 80 is passed as HTTP request on port 443 on backend side. There is no SSL Handshake performed. Result: backend server do not respond If URI Rule is changed to: Client: http://www.domainA.com/ Server: https:// Everything starts to work, BIG-IP is starting SSL Handshake and backend is accepting connection. Is that by design? So protocol definition in URI Rule is defining protocol used on backend - in other words disables Server SSL profile when set to http for Server? Piotr
Connection terminates/closes with Server SSL Profile --> Server Authentication --> Server Certificate parameter set to require
I have one F5 LTM and one server in its pool. Connection is encrypted end-to-end. Client to F5 is 443. And F5 LTM to server is 443. F5, subsequently, has Client SSL Profile and Server SSL Profile enabled. For reference to Server SSL Profile, please see the Overview of the Server SSL profile article. I observed that F5 LTM was not validating the server certificate. I can choose any server certificate on server-side, no problem. I ran a Wireshark trace on the server to confirm and observed, yes, F5 accepts the server certificate. Was able to confirm F5 is configured with default Server SSL Profile settings, which means Server Certificate parameter (under Server Authentication section), is set to Ignore, since that is the default. (An aside to the main topic is why would Ignore be the default or even an option? Why wouldn't you want to close a security loophole, however low risk it must be? What is a legitimate purpose for ignoring server certificate validation, aside from things like dev work, testing, and troubleshooting?) Set the Server Certificate to Require and website could not load. HTTP 500 error. Connection was terminated reset/closed). From the Wireshark trace on the server side, it appears the SSL handshake completes but then the connection closes, e.g. [FIN, ACK]. Not precisely sure why this one configuration change causes the connection to terminate. To my recollection, Authenticate Name is currently blank. Of course, if this problem can be solved, that parameter will be set to the server's FQDN. I'd be most grateful for any help on what I may be missing or doing incorrectly. Thank you for your time.
Resign certificate for clients to server with SSL Offload?
Hi! I would like to resign certificate when a client hits on of our webservers. Im not sure if i need SSL Forward proxy or can do this with SSL Offfload/Termination? Client goes to ";, F5 use certificate "A" to the client which is self-signed by F5. This i have placed in Client SSL profile. F5 then contact the server and use certificate "B", which i have in a Server SSL profile . I have both cert/key for both A and B but dont get this to work with SSL Offload/Termination. So i really not doing any Offloading per say, just cert resign. Is it possible? I get Handsake failuer everytime i try. As i understood this is very easily done with SSL Forward Proxy(which require extra license). Best Regards, Tob
How make LTM trust a node's Self-Signed Cert?
Hello fellow F5-Admins, I'm quite lost at the moment. I was asked by our anti virus guys, if we could use SSL (https) in the backend between my LTM and their ICAP anti virus servers. Because it's backend and other more or less viable reasons, we would like to use a self-signed certificate on the ICAP-servers. Testing the connection with curl -k (-k for insecure) succeeds but I guess I have to make the F5 trust the self signed cert somehow to make it work. At the moment the health monitor is still read because F5 not trusting the servers cert. Where/how can I tell the F5 to ignore/accept the serf-signed cert, or how to I import it to the trusted store? Just importing the cert into the "SSL CCertificate List" does not work. Cheers IchnafiIs it possible to use CRLDP in Server SSL Profile?
Hello, I need to check backend server’s certificates before processing client request. I am using option in «SSL Server Profile» named Server “Server Certificate > Require». All works fine but I need to check the Certificate Revocation. In «SSL Server Profile» I have found 2 options: 1.“Certificate Revocation List (CRL)» - that mean using static, manually uploaded file 2.“OCSP” Is it possible to use CRLDP in Server SSL Profile?
Authentication name in server ssl profile and SAN field
Hello In a SSL server profile, the FQDN name in the field 'Authenticate Name' is compare only to the CN field of the certificate ? Or the SAN (Subject Alternative Names) field of the certificate is also compared ? We have exchanges with a company actually presenting a certificate " *.company.com ". So actually, we authenticate the server with " *.company.com " in the Authenticate Name field of the SSL server profile. They will soon modify their certificate with CN " company.com " and put " *.company.com " in the SAN part of the certificate. How the SSL server profile will handle this ? SSL will fail because the CN of the certificate is not equal to the Authenticate Name field in the profile ? Or SSL will be ok because the SAN field handle a name equal to the Authenticate Name field of the profile ? Thank you. Fred
Is it possible to use CRLDP in Server SSL Profile?
Hello, I need to check backend server’s certificates before processing client request. I am using option in «SSL Server Profile» named Server “Server Certificate > Require». All works fine but I need to check the Certificate Revocation. In «SSL Server Profile» I have found 2 options: 1.“Certificate Revocation List (CRL)» - that mean using static, manually uploaded file 2.“OCSP” Is it possible to use CRLDP in Server SSL Profile?