ranshe_75308
Jan 21, 2012Nimbostratus
F5 & VeriSign intermediate chain
Hi,
Installed VeriSign commercial certs on my F5, added those to Client SSL profile (inheriting from default "clientssl" profile).
Added VeriSign intermediate bundle (G3 & G5).
Added this to the "chain" portion of Client SSL profile.
Applied profile to virtual server.
When accessing virtual server, most of the time I'm able to connect, but sometimes I can't - I get an error along the lines of "Unknown CA".
Another verification method used is VeriSign's tool (see http://bit.ly/AzpaGG) which accesses the specified addresses and verifies the chain - similar issue, most times it returns success, but sometimes it says chain is invalid - and the chain it recommends to add is the one which is installed...
Next step was tcpdump - and indeed the response returned is totally different.
On success, the packet returned in "Certificate, Server Hello done" message is 1466 long, and on failure it's 164 long.
Looking at those two packets with a text editor, you see that the longer one mentions G5 whereas the shorter only has the G3.
After this long story - why would the F5 only return a partial string at times??
Thanks,