Forum Discussion

mishpan_70054's avatar
mishpan_70054
Icon for Nimbostratus rankNimbostratus
Jan 29, 2013

How https monitor work ?

Like to know how the https monitor work, means what happen in background when we assigned https monitor to pool.

 

-Does it use Openssl command in background ?

 

-Does it usr curl command in background ?

 

-Or any other mechanism ?

 

 

Also notices that sever response do not contain any certificate in it. Please check the attached doc.

 

8 Replies

  • Have you specified a send and receive string? If not only a service check is performed (possibly why you don't see a certificate). You should configure a send and receive string to ensure the full monitor functionality is used.

     

     

    I don't believe OpenSSL or curl are used to perform the monitoring, this is a built in TMM function; however OpenSSL may be used to 'handle' the SSL if necessary.
  • Thanks for your response we do have send & receive string define but still I am seeing below mentioned handshake flow and I can see it is marking the pool member up.

     

     

    Client send -->client hello

     

    Server send -->Server Hello; Change Cipher Spec, Encrypted handshake message

     

    Client send --> Change Cipher Spec, Encrypted handshake message

     

     

    Monitor configure as:

     

     

    monitor abc.com__https_monitor {

     

    defaults from https

     

    recv " LB -Health Monitoring purposes"

     

    send "GET /lbhealthPage.htm HTTP/1.1\r\nHost: abc.intranet\r\nConnection: close\r\n\r\n"

     

    }

     

  • This will be due to the SSL/TLS session being resumed. See here: http://en.wikipedia.org/wiki/Transport_Layer_SecurityResumed_TLS_handshake
  • You're welcome. I did actually try to find a way to prevent resumption on the BIG-IP for health monitors, but couldn't find anything.
  • Hi Steve

     

     

    I have one more doubt about https default monitor, i can not find any field to define CA. So how lb verify the certificate present by server

     

     

    -Does it go to /config/ssl/ssl.crt and check against each bundle ?

     

     

    And what if the certificate provide by server if self singed.

     

     

    monitorroot type https {

     

    defaults from none

     

    interval 5

     

    up interval 0

     

    timeout 16

     

    time until up immediate

     

    dest *:*

     

    ignore down response disable

     

    enable

     

    is read only

     

    partition Common

     

    cert none

     

    cipherlist "DEFAULT:+SHA:+3DES:+kEDH"

     

    compatibility "enabled"

     

    key none

     

    password none

     

    recv disable none

     

    recv none

     

    send "GET /\r\n"

     

    username none

     

    }

     

  • I don't think the server certificate is validated in any way (as it would be by a browser), that's not the point of the monitor.
  • The monitor doesn't validate the server certificate to check if the service is available. If you want LTM to validate the server cert, you can configure this in a custom server SSL profile. The server cert will then be checked on load balanced connections to the pool.

     

     

    Aaron