Work environment
- BIG-IP Virtual Edition
- version 15.x.x
Server authentication in Server SSL profile
The Server SSL profile is a profile that is applied to a virtual server and used for SSL communication between BIG-IP and a real server using BIG-IP as an SSL client.
In the Server SSL profile settings, you can set whether BIG-IP uses the server certificate of the real server for server authentication. (By default, server authentication is not performed.)
Here, we will test this server authentication operation.
Test environment
Since we want to test only the server authentication operation of the Server SSL profile this time, prepare only one real server as shown in the figure below.
- BIG-IP
- Virtual Edition version 15.x.x
- Client
- Windows 10
- Web server
- CentOS 8
- httpd-2.4.37-39
- mod_ssl-2.4.37-39
Setting items related to server authentication
The main setting items of Server SSL profile related to server authentication are as follows.
Server AuthenticationServer Certificate- ignore(default):BIG-IP ignores the certificate from the server and does not authenticate the server
- require:Enforce server authentication. The server must present a valid certificate before establishing an SSL session
Trusted Certificate Authorities- Specify a CA certificate that the BIG-IP system trusts when validating the server certificate
- Select from the certificates imported into BIG-IP
- default:None
Other setting items
- Expire Certificate Response Control
- Specifies how to handle SSL connections when the server certificate expires
- Ignore:Ignore expired server certificate and continue establishing connection
- Drop(default):SSL connection drops
- Untrusted Certificate Response Control
- Specifies how to handle SSL connections when the server certificate has an untrusted CA
- Ignore:Ignore untrusted CA and continue establishing connection
- Drop(default):SSL connection drops
Case where Server Certificate is ignore
In this case (default), the server certificate is ignored and authentication is not performed.
The expected result in this case is that the client can access the web server without any problems.
When accessing https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that the Apache test page is displayed as shown below.
Case where Server Certificate is require
In this case, validate the server certificate. In this case, you need to set up Trusted Certificate Authorities. Let’s verify the value of Trusted Certificate Authorities in each case.
Case where an incorrect certificate is specified
The settings are as shown in the image below, and the certificate that is not related to the server certificate of the Web server is specified in Trusted Certificate Authorities.
The expected result in this case is that the client cannot access the web server.
When I accessed https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that it could not be accessed as follows.
The browser (Edge) error message is ERR_CONNECTION_RESET.
Case where the correct certificate is specified
Next, the settings are as shown in the image below, and the certificate of the CA that signed the server certificate of the Web server is specified in Trusted Certificate Authorities.
The expected result in this case is that the client can access the web server.
When accessing https://192.168.75.11/ (BIG-IP) from the client, I was able to confirm that the Apache test page is displayed as shown below.
When Untrusted Certificate Response Control is Ignore
Untrusted Certificate Response Control is a field that specifies how to handle SSL connections when the server certificate has an untrusted CA. If this is Ignore, ignore the untrusted CA and continue establishing the connection. That is, the connection is established even if the Trusted Certificate Authorities specify an incorrect certificate.
It is unlikely that you will set this setting to Ignore, but for reference.
Conclusion
If you set the Server Certificate to require in the Server SSL profile, set the appropriate CA certificate in Trusted Certificate Authorities.
References
Comments