How to store a certificate in the configuration file?
Documentation for ngx_http_ssl_module says that it's possible to store the certificate (and the key) in variables. The value data:$variable can be specified instead of the file (1.15.10), which loads a certificate from a variable without using intermediate files. Note that inappropriate use of this syntax may have its security implications, such as writing secret key data to error log. Which is implying it's possible to store the certificate value in the variable. I'm trying to guess how to do it and can't find the proper way. I've tried: set $ssl_cert "-----BEGIN CERTIFICATE----- MIIDHDCCAgQC ... -----END CERTIFICATE----- "; and set $ssl_cert "application/x-pem-file;-----BEGIN CERTIFICATE----- MIIDHDCCAgQC ... -----END CERTIFICATE----- "; Both didn't worked. What is the syntax for storing PEM file in the variable?25Views0likes1CommentAS3 w/ certificates and renewals..
So, I found myself in a little bit of a quandary with the use AS3 declarations to deploy our F5 configurations for our services. So to create a virtual server with SSL certificate and profiles, and the nine-yards, you need to have as part of your AS3 declaration: SSL certificate (key and cert), that populate the profile, that then populates the profile section within the virtual server. So far so good... Now, the certificate has a TTL (if you will), and needs to be renewed. In the past, I had a Python script that goes through the F5 using REST API to find expiring certificates and get new certs and updates the configuration. That worked just fine, and I have adapted that to be used on our new F5s using partitions/tenants, and it works. Unfortunately is also breaks the one source of truth (AS3), so if I go make a change to an AS3 declaration to make pool member or other configuration changes, and I then redeploy the AS3 declaration, then the OLD certificate if put back into play (which could be expired) and the service goes down. Has not happened yet, because this FUBAR situation popped into my head. ..and that is my quandary... How do I redeploy configurations and have it ignore the certificate and profile stanzas in AS3 declaration - so it does not redeploy an old and possibly expired certificate? One may think .. well update the declaration with the updated certificate. Not as easy as one may think. I would have to do this for any declaration that I want to modify, not a easy task.. log-into the F5, fetch the new PEMdata for the certificate and key, update the declaration, and then deploy it. In some AS3 declarations, I am defining multiple environments for a service, and there might be up to 5 different certificate/key pairs that I would need to update prior to redeploying .. ugh! I am in a pickle. Thoughts? The only solution that I have been able to conjure up in my head is additional automation and scripting that would automatically update the AS3 declarations when a certificate is renewed, which makes sense .. just have no idea how to go about this just yet. Hoping there are other alternatives?!Solved177Views0likes6CommentsRelation between Cipher-Suite and Key-type of server certificate
I must noticed/learned these days, that specific allowed ciphers are useless if they are not matching with the key-type of the server-certificate from the clientSSL profile. I think it's not unusual that most server-certificate will still be generated with RSA 2k or 4k key-type. And those (older) certificates, which are already renewed a couple of times with the same key have even a higher chance to be a RSA type. But with this for example only the following two ciphers could be selected: ECDHE-RSA-AES128-GCM-SHA256/TLS1.2 ECDHE-RSA-AES256-GCM-SHA384/TLS1.2 If a client for example only supports the following two ciphers: ECDHE-ECDSA-AES128-GCM-SHA256/TLS1.2 ECDHE-ECDSA-AES256-GCM-SHA384/TLS1.2 Neither of these two will be choose, even if they are allowed/provided in the cipher-rule configuration of the BIG-IP. Is this really the case or are there any other dependencies, which are responsible for the „No shared ciphers between SSL peers“ log entry? I'm wondering, because I've never read about that in any of the tons of cipher documents and articles, I've read so far. => So can please someone share some detailed information about this relation? And if this behavior is true, does it makes sense and is it technical possible to create two different clientSSL profiles, one with a RSA-key and the other with a ECDSA-key and assign both to the VIP? Can the BIG-IP handle this and will choose the correct certificate/profile depending on the provided cipher-list from the client? Thank you! Regards Stefan :)Solved70Views0likes2CommentsINFORM: Entrust CA will be untrusted in Chrome after Oct 31, 2024
If you manage certs from Entrust in your environment, this will impact your Google Chrome users, so intermediate certs will likely need to be bundled to handle this in your clientssl profiles OR if you control all the clients you can assure that explicit trust in the clients is enabled for Entrust CAs. Google details on the situation77Views0likes0CommentsSSL cert bundle - how to extract the intermediate?
We have a new cert provider and instead of sending me a zip file with the cert and intermediate, they sent the cert and a bundle. Any idea how to extract the intermediate cert text from that bundle so I can import into the F5 and use with an SSL profile? Thanks!Solved94Views0likes4CommentsSSL protocol mismatch
Ok, I ended up way down a rabbit hole earlier this week. That whole line of thought seemed to be a red herring. BigIP LTM trying to load balance to MS Navision servers which don't use standard 80 or 443 ports. Instead, the client communicates on port 7246 using TLSv1.2. If I have my Virtual Server Type set to "Performance (Layer 4)" I can get a connection to the Navision servers without issue. However I want to get SSL Bridging set up because I think we can get better performance with SSL Bridging than just the SSL passthrough (which I believe is basically what the"Performance (Layer 4)" is). When I try to set the type to "standard" (without puting in a client or server ssl profile) the Navision client gives me a "could not create a connection to the server". I've imported our wildcard cert and if I set the Wildcard cert for the SSL Profile (Client) and set the SSL Profile (Server) to "serverssl" I then get a "can't connect because of a protocol mismatch". Checking tmm --clientciphers DEFAULT | grep "TLS1.2" returns a bunch of TLS1.2 protocols and the Wildcard profile is set to "Ciphers Default". Checking the LTM log, I just get kind of a generic error Oct 4 15:45:20 BigIP01.domain.com warning tmm1[3124]: 01260009:4: <client IP>:43130 -> <BigIP VS IP>:7246: Connection error: ssl_passthru:5935: alert(40) not SSL Now, according to wireshark, I'm seeing both TLS and non TLS traffic to port 7246 so I'm not sure if the above error is a "real" error or if the issue is because both kinds of traffic are going to the same port. Logging on my SSL certificate is set to "debug" for all events. I'm not sure where to go next. ltm profile client-ssl Wildcard23-24 { ciphers DEFAULT } ltm profile server-ssl serverssl { ciphers DEFAULT } pool Nav_Pool_7246 profiles { LC-http { } LC-oneconnect { } LC-tcp-lan { } Wildcard23-24 { context clientside } serverssl { context serverside } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { pool Nav type snat } translate-address enabled translate-port enabled vs-index 4 }Solved1.7KViews0likes13CommentsDynamic CRL Check with Client SSL Profile - How to notify the user?
Hi, we have implemented dynamic CRL checking with client SSL profile in our test environment with BIG-IP 15.1. And it works. If a test user tries to establish a SSL session to a VIP with dynamic CRL checking enabled and the user's cert is revoked, the BIG-IP resets the connection. We are looking for a wayto direct the user's browser to an error page so that the user would be notified that the application can't be accessed because the cert is revoked. Obviously, SSL session is (or not) established before any traffic can be sent over HTTP. We can verify CRL check result with "SSL::verify_result" in an iRule (for example), but the session is reset before an HTTP redirect can be sent. We are aware that this can be done with LTM + APM, however for this use case the APM is not available. This was, for example, possible in the "old days" on Cisco ACE with: parameter-map type sslMap_Name authentication-failure redirect cert-revoked url URL_Address Any ideas & help on how to notify the user that the cert has been revoked greatly appreciated. Thanks!Solved93Views0likes2Commentsclient and server ssl profiles
I am new to f5 asm, in our environment we have set up a website behind WAF in transparent mode, We have installed a wildcard certificate on real web server and replicated it on waf using client and server ssl profiles. However, when we attach this created custom profiles to virtual server site doesn't work. Interestingly, when we replace it with client/server-insecure-compatible ssl profiles site works properly. Furthermore, site works normally when we bypass waf. What steps should we take to address this issue?183Views0likes4CommentsIntermittent Net::ERR_CONNECTION_RESET Error and Incomplete Loading over HTTPS
I have an F5 load balancing setup configured with two servers. My MVC web application, which incorporates Kendo UI, Jquery, and bootstrapping, is hosted on an IIS server with an SSL certificate. However, when accessing the application via HTTPS from outside the server, it often or sometimes results in a 'net::ERR_CONNECTION_RESET' error, with intermittent failures to load javascript and CSS files to the client browser. Strangely, upon reloading the page, the assets load properly, and the page functions as expected. This issue did not occur when the application was accessed via HTTP, where it worked properly without any issues. What could be the reason behind this problem?440Views0likes2CommentsDecrypting SSL traffic - PMS and egress
Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial:Decrypt with tcpdump --f5 ssl I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error: C:\Program Files\Wireshark: invalid option -- 'T' C:\Program Files\Wireshark: invalid option -- 'e' I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC Second issue: Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. Will appreciate any advice - It is my second day struggling with the issue2.4KViews0likes14Comments