SSL server profiles - does it validate the certificate?

Question

All,
  while I have read the KB I am still not clear how much validation the F5 LTM does of SSL certificates on backend servers(i.e. ones in a pool) when using a server SSL profile.&nbsp;
I have a situation where the F5 LTM is setup with a virtual server listening on https/443, load balancing a pool also listening on port 443, however we are terminating the SSL on the F5 to inspect the host header before then re-encrypting and sending on to the right pool (i.e. have a client ssl profile on the front and a server ssl profile on the back).&nbsp;
I have inherited the setup and we are now at the point when the certificates on the servers and the F5 needed to be renewed. Looking at the serverssl profile it has been set with the same cert/key pair that is used on the client SSL, however in chain &amp; trusted cert authorities is set to none - appears the only customisation of the profile from the default serverssl profile is the cert/key.&nbsp;
My question is based on the above is the F5 validating the certificate on the servers in the pool at all, and/or if the certificate on the servers in the pool is not updated, but the one on the f5 server ssl profile is (therefore key/cert pair is no longer the same between the f5 and the server, also will eventually be expired) would this result in the F5 failing to proxy on the traffic?&nbsp;
Thanks in advance&nbsp;

uni_87886 · Answer

The default serverssl profiles do not validate the remote certificate. There is a flag to enable validation. I have many services set up with the default profile, with no certificate specified.&nbsp;

uni · Answer

The default serverssl profiles do not validate the remote certificate. There is a flag to enable validation. I have many services set up with the default profile, with no certificate specified.&nbsp;

mw1 · Answer

By flag to enable validation is it your understanding that this is the Server Authentication section of the profile -&gt; Server Certificate field drop down box of "ignore" or "required" ?

mw1 · Answer

By flag to enable validation is it your understanding that this is the Server Authentication section of the profile -&gt; Server Certificate field drop down box of "ignore" or "required" ?

mike_maher · Answer

Setting up a server ssl profile with a certificate and key is not done to validate the certificate on the server in the pool it is done if you are doing 2 way ssl or authentication with a client certificate.  When you put a cert and key there you are sending that certificate for authentication, if are all you are doing is standard ssl encryption you don't need to put anything in those fields.  If you are looking to have the Big-IP make sure that the certificate on the server is a valid certificate (similar to how a browser validates the server cert) then use the Server Authentication section that you are referring to.  Set it to required and set the appropriate action for expired and untrusted certificate.

Forum Discussion

SSL server profiles - does it validate the certificate?

6 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

POC: Validate JWT with iRule

Re: Management Certificate

SSL Profiles Part 2: Certificates

Automate Let's Encrypt Certificates on BIG-IP

Server Side Profile not show the certificate