NimbostratusConnection terminates/closes with Server SSL Profile --> Server Authentication --> Server Certificate parameter set to require
I have one F5 LTM and one server in its pool. Connection is encrypted end-to-end. Client to F5 is 443. And F5 LTM to server is 443. F5, subsequently, has Client SSL Profile and Server SSL Profile enabled.
For reference to Server SSL Profile, please see the Overview of the Server SSL profile article.
I observed that F5 LTM was not validating the server certificate. I can choose any server certificate on server-side, no problem. I ran a Wireshark trace on the server to confirm and observed, yes, F5 accepts the server certificate. Was able to confirm F5 is configured with default Server SSL Profile settings, which means Server Certificate parameter (under Server Authentication section), is set to Ignore, since that is the default.
(An aside to the main topic is why would Ignore be the default or even an option? Why wouldn't you want to close a security loophole, however low risk it must be? What is a legitimate purpose for ignoring server certificate validation, aside from things like dev work, testing, and troubleshooting?)
Set the Server Certificate to Require and website could not load. HTTP 500 error. Connection was terminated reset/closed). From the Wireshark trace on the server side, it appears the SSL handshake completes but then the connection closes, e.g. [FIN, ACK]. Not precisely sure why this one configuration change causes the connection to terminate. To my recollection, Authenticate Name is currently blank. Of course, if this problem can be solved, that parameter will be set to the server's FQDN.
I'd be most grateful for any help on what I may be missing or doing incorrectly.
Thank you for your time.
