[BIG-IP] Test the server authentication operation of Server SSL profile

Load Balancer

Work environment

  • BIG-IP Virtual Edition
    • version 15.x.x

Server authentication in Server SSL profile

The Server SSL profile is a profile that is applied to a virtual server and used for SSL communication between BIG-IP and a real server using BIG-IP as an SSL client.

In the Server SSL profile settings, you can set whether BIG-IP uses the server certificate of the real server for server authentication. (By default, server authentication is not performed.)

Here, we will test this server authentication operation.

The settings of the Client SSL profile for SSL communication between the client and BIG-IP and the settings of the virtual server are omitted here, and it is assumed that the settings are appropriate.

Test environment

Since we want to test only the server authentication operation of the Server SSL profile this time, prepare only one real server as shown in the figure below.

  • BIG-IP
    • Virtual Edition version 15.x.x
  • Client
    • Windows 10
  • Web server
    • CentOS 8
    • httpd-2.4.37-39
    • mod_ssl-2.4.37-39

Setting items related to server authentication

The main setting items of Server SSL profile related to server authentication are as follows.

  • Server Authentication
    • Server Certificate
      • ignore(default):BIG-IP ignores the certificate from the server and does not authenticate the server
      • require:Enforce server authentication. The server must present a valid certificate before establishing an SSL session
    • Trusted Certificate Authorities
      • Specify a CA certificate that the BIG-IP system trusts when validating the server certificate
      • Select from the certificates imported into BIG-IP
      • default:None

Other setting items

  • Expire Certificate Response Control
    • Specifies how to handle SSL connections when the server certificate expires
    • Ignore:Ignore expired server certificate and continue establishing connection
    • Drop(default):SSL connection drops
  • Untrusted Certificate Response Control
    • Specifies how to handle SSL connections when the server certificate has an untrusted CA
    • Ignore:Ignore untrusted CA and continue establishing connection
    • Drop(default):SSL connection drops

Case where Server Certificate is ignore

In this case (default), the server certificate is ignored and authentication is not performed.

The expected result in this case is that the client can access the web server without any problems.

When accessing https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that the Apache test page is displayed as shown below.

Case where Server Certificate is require

In this case, validate the server certificate. In this case, you need to set up Trusted Certificate Authorities. Let’s verify the value of Trusted Certificate Authorities in each case.

Case where an incorrect certificate is specified

The settings are as shown in the image below, and the certificate that is not related to the server certificate of the Web server is specified in Trusted Certificate Authorities.

The expected result in this case is that the client cannot access the web server.

When I accessed https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that it could not be accessed as follows.

The browser (Edge) error message is ERR_CONNECTION_RESET.

Case where the correct certificate is specified

Next, the settings are as shown in the image below, and the certificate of the CA that signed the server certificate of the Web server is specified in Trusted Certificate Authorities.

The expected result in this case is that the client can access the web server.

When accessing https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that the Apache test page is displayed as shown below.

When Untrusted Certificate Response Control is Ignore

Untrusted Certificate Response Control is a field that specifies how to handle SSL connections when the server certificate has an untrusted CA. If this is Ignore, ignore the untrusted CA and continue establishing the connection. That is, the connection is established even if the Trusted Certificate Authorities specify an incorrect certificate.

It is unlikely that you will set this setting to Ignore, but for reference.

Conclusion

If you set the Server Certificate to require in the Server SSL profile, set the appropriate CA certificate in Trusted Certificate Authorities.

References

https://support.f5.com/csp/article/K14806


Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Copied title and URL