Forum Discussion

Tom_Schaefer's avatar
Tom_Schaefer
Icon for Cirrus rankCirrus
Aug 09, 2019

Connecting to invalid Server with SERVERSIDE SSL

I must be reading the documentation wrong. I am trying to ensure a connection to an external TLS server has a valid CA and a valid certificate. I have a virt with a SERVER SSL profile that sets drop for both Expire Certificate Response Control and Untrusted Certificate Response Control. Note it is not clear to me this comes into play when I connect to a server (as opposed to the client side).

 

I also ran into an issue with the certificate's CN not matching thehost name in the request. That connection is also made without an issue. The ignore setting for Server Certificate is not applcable unless one sets the Authenticate Name (which I have not found a way to do via an iRule).

 

Is there some magic to accessing remote servers via HTTPS to ensure I am connecting to a server with a valid cert?

 

I used an interesting site called badssl.com to test this.

 

Tom Schaefer

application delivery
iRules
LTM

10 Replies

Sort By
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 13, 2019

    The result is expected for the configuration you have.

     

    You need to change "Server Certificate" from "ignore" to "require", and enter the name defined as "Common Name (CN)" in the SSL certificate of your app server in the field "Authenticate Name". Make sure you choose a CA bundle that can validate the SSL certficate of your app server in the field "Trusted Certificate Authorities".

     

    Apply the irule above to log the validation result to assist troubleshooting.

    • Tom_Schaefer's avatar
      Tom_Schaefer
      Icon for Cirrus rankCirrus
      Aug 13, 2019

      Thanks. That is a problem as I have a single virtual server for outbound https servers. I use an iRule to select the profile and set the host name. I was hoping to not have to create a separate profile for each remote host I want to connect with. It sounds like that is not an option.

       

      If I had the ability to dynamically set the Authenticate Name in an iRule, that would help.

       

      I will say it was not obvious that the Invalid and expired options were dependent upon the Server Certificate being set to require.

       

      Thanks for the assistance.

      • JG's avatar
        JG
        Icon for Cumulonimbus rankCumulonimbus
        Aug 13, 2019

        I simplified a bit. In other words, "Authenticate Name" must be covered by the certificate sent by the app server.

         

        When F5 connects out, it needs to verify the authenticity of its peer by validating the certificate it receives from the app server.

    • Tom_Schaefer's avatar
      Tom_Schaefer
      Icon for Cirrus rankCirrus
      Aug 13, 2019

      One more point,. that iRule will have to wait until we are on v13 as that event is new to v13.

       

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 09, 2019

    If the "Authenticate Name" field is empty, then it is always authenticated.

    At the minimum, you can test with the following irule:

    when SERVERSSL_SERVERCERT {
    set result "null"
    set result [X509::verify_cert_error_string [SSL::verify_result]]
    log local0. "Server cert validation result: $result"
}

    to see the end result, to start with.

    • Tom_Schaefer's avatar
      Tom_Schaefer
      Icon for Cirrus rankCirrus
      Aug 09, 2019

      I forgot to mention we are not yet on v13 (when SERVERSSL_SERVERCERT was added I believe). But forgetting the iRule for a moment, in just general LTM configuration, is there anyway to prevent the BIG-IP from connecting to the TLS server if the cert is not valid? I ask as even with drop, it still connects if the cert is expired or a bad CA. I'm wondering if those two options are just for CLIENTSSL and not SERVERSSL.

      • JG's avatar
        JG
        Icon for Cumulonimbus rankCumulonimbus
        Aug 10, 2019

        Will you be able to share a screenshot of the section "Server Authentication" of your server-side SSL profile?