Forum Discussion
The result is expected for the configuration you have.
You need to change "Server Certificate" from "ignore" to "require", and enter the name defined as "Common Name (CN)" in the SSL certificate of your app server in the field "Authenticate Name". Make sure you choose a CA bundle that can validate the SSL certficate of your app server in the field "Trusted Certificate Authorities".
Apply the irule above to log the validation result to assist troubleshooting.
- Tom_SchaeferAug 13, 2019Cirrus
Thanks. That is a problem as I have a single virtual server for outbound https servers. I use an iRule to select the profile and set the host name. I was hoping to not have to create a separate profile for each remote host I want to connect with. It sounds like that is not an option.
If I had the ability to dynamically set the Authenticate Name in an iRule, that would help.
I will say it was not obvious that the Invalid and expired options were dependent upon the Server Certificate being set to require.
Thanks for the assistance.
- JGAug 13, 2019Cumulonimbus
I simplified a bit. In other words, "Authenticate Name" must be covered by the certificate sent by the app server.
When F5 connects out, it needs to verify the authenticity of its peer by validating the certificate it receives from the app server.
- Tom_SchaeferAug 13, 2019Cirrus
One more point,. that iRule will have to wait until we are on v13 as that event is new to v13.