Forum Discussion

Jari_Hyttinen_1's avatar
Jari_Hyttinen_1
Icon for Nimbostratus rankNimbostratus
Jun 03, 2013

HTTPS monitor with SNI support

We have published a SharePoint 2013 environment with several applications installed on SharePoint.

 

Both client ssl and server ssl profiles are in use in all VIPS.

 

SharePoint use SNI (Server Name Indication) in order to map correct SSL certificate with the application.

 

Now I faced a problem, standard HTTPS monitor do not support SNI (checked with F5 Support).

 

However I need to monitor those SharePoint with valid content monitor.

 

I tried to to create external monitor by using curl. I haven't had success.

 

Has anyone faced similar problem and managed to solve it somehow?

 

I would appreisate any help.

 

 

 

management
monitoring

7 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 03, 2013
    So you're doing SNI on the SERVER SIDE?

     

     

    If so, I believe an external monitor with cURL is still your best bet. The one trick is that you have to use the server's name in the request instead of the IP address. For this you'll either need a Hosts entry on the BIG-IP or DNS resolution. If you can be in a position to watch the SSL traffic to the web server, you should see cURL's TLS CLIENTHELLO message with a Server Name Indication extension value near the bottom of the payload.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 03, 2013
    i understand you got http 401 when using curl. was authentication indeed correct?
  • Jari_Hyttinen_1's avatar
    Jari_Hyttinen_1
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2013

    Hi,

     

    Yes, we are doing SNI on server side. It is customer requirement.

     

    One problem with curl is that I can't use FQDN host name in url, because I have several pool members.

     

    I have to connect them individually to see are they running normally or not.

     

    However, I have tested this by adding one of the server IP addresses to BIG-IP host table.

     

    I tried curl command:

     

    curl -fNs -k -1 -v -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" https://mysite.domain.com/page.html -H "Host: mysite.domain.com"

     

    I received HTTP 401 (Authentication request).

     

     

    However I can connect same URL without authentication if I use normal browser.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 03, 2013
    The fact that you're getting a 401 from the server means that you're past the SSL negotiation, and likely a completely different issue. Can you run a capture at the browser side and the cURL side and compare the two? A 401 response potentially suggests that the browser is silently sending credentials that the cURL script cannot.
  • Jari_Hyttinen_1's avatar
    Jari_Hyttinen_1
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2013

    Hi,

     

    Sure, I can take capture and decrypt it with ssldump.

     

    But according my knowledge the page I'm requesting has been published as for unauthenticated users.

     

    Any of my browsers do not have any user accounts saved related to this service.

     

    But I can check that with capturing the traffic.

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 04, 2013
    What you'll want to look for is the headers in the 401 response to cURL, and the headers in the browser's request. Most likely an "Authorization" header.
  • nammerl_146523's avatar
    nammerl_146523
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2014

    Hi Jari,

     

    We are confronted with the same challenge one year later. Did you manage to resolve your problem?

     

    BR Nico