Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 25, 2015

serverssl profile with only certifikate - v10.0.1

Hi,

 

I have VS with serverssl profile assigned that has only certificate configured, no private key. As far as I ubderstand purpose of assigning certificate to serverssl it doesn't make sense.

 

Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?

 

Problem is that in 10.0.1 it's possible to save profile with only cert assigned, it's not possible in 11.6.0 - GUI is displaying error - missing private key - seems logical.

 

However in v10 when VS has assigned serverssl profile with certificate only https connections to tarfget server are working. When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.

 

Any ideas what could be the reason?

 

Piotr

 

application delivery
deployment
design
LTM
security

5 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 25, 2015

    Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?

     

    i agree.

     

    When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.

     

    have you tried tcpdump/ssldump? what did you get?

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      May 25, 2015
      I have no direct access to the system, waiting for dump to be provided. Still profile that is working is only different from build in serverssl in are of certificate assigned. All other setting are the same as in build in profile - a bit strange that result of using build in profile is loss of communication with target server. Here is working profile server-ssl some_name { alert-timeout 60 authenticate once authenticate-depth 9 authenticate-name none ca-file none cache-size 20000 cache-timeout 3600 cert some.crt chain none ciphers DEFAULT crl-file none defaults-from serverssl handshake-timeout 60 key none mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } partition Common passphrase none peer-cert-mode ignore renegotiate-period indefinite renegotiate-size indefinite strict-resume disabled unclean-shutdown enabled I was suspecting issues with ciphers but custom profile and build in profile are both using DEFAULT Piotr
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    May 25, 2015

    Such configuration is required only when LTM should be able to perform certificate based authentication as client - when target server is requiring it. Without private key it is not possible - Am I right here?

     

    i agree.

     

    When default serverssl profile is assigned to the same server (so no cert and no private key) communication with target server is no more working.

     

    have you tried tcpdump/ssldump? what did you get?

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      May 25, 2015
      I have no direct access to the system, waiting for dump to be provided. Still profile that is working is only different from build in serverssl in are of certificate assigned. All other setting are the same as in build in profile - a bit strange that result of using build in profile is loss of communication with target server. Here is working profile server-ssl some_name { alert-timeout 60 authenticate once authenticate-depth 9 authenticate-name none ca-file none cache-size 20000 cache-timeout 3600 cert some.crt chain none ciphers DEFAULT crl-file none defaults-from serverssl handshake-timeout 60 key none mod-ssl-methods disabled mode enabled options { dont-insert-empty-fragments } partition Common passphrase none peer-cert-mode ignore renegotiate-period indefinite renegotiate-size indefinite strict-resume disabled unclean-shutdown enabled I was suspecting issues with ciphers but custom profile and build in profile are both using DEFAULT Piotr
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Jun 02, 2015

    Hi,

     

    To sum up - the issue was virtual. As I suspected certificate in this serverssl profile was not necessary (anyway it was pointless to set only certificate).

     

    Admins just did not performed test as I advised them :-)

     

    After doing it with my own hands magically VS started to work without certificate assigned to serverssl profile :-)

     

    Piotr