Forum Discussion
If the "Authenticate Name" field is empty, then it is always authenticated.
At the minimum, you can test with the following irule:
when SERVERSSL_SERVERCERT {
set result "null"
set result [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "Server cert validation result: $result"
}
to see the end result, to start with.
- Tom_SchaeferAug 09, 2019Cirrus
I forgot to mention we are not yet on v13 (when SERVERSSL_SERVERCERT was added I believe). But forgetting the iRule for a moment, in just general LTM configuration, is there anyway to prevent the BIG-IP from connecting to the TLS server if the cert is not valid? I ask as even with drop, it still connects if the cert is expired or a bad CA. I'm wondering if those two options are just for CLIENTSSL and not SERVERSSL.
- JGAug 10, 2019Cumulonimbus
Will you be able to share a screenshot of the section "Server Authentication" of your server-side SSL profile?
- boneyardAug 10, 2019MVP
that should not be the case with the correct settings.
next to the question JG is asking are you sure you are reaching that badssl.com server and nothing something else?
- Tom_SchaeferAug 12, 2019Cirrus
Here is a screen shot. Note I have Server Certificate as Ignore as I wanted to set the Authenticate Name in the iRule (but that does not seem possible).
This is focusing on why with Drop on both Expire and untrusted, I can still make the connection with this profile.