Expired Certificate and HTTPS Probe Problem

Unanswered Question
Oct 15th, 2009
User Badges:

Hi,


While configuring an HTTPS probe I observe that if the certificate on the target server is expired, the ACE marks the server as PROBE-FAILED. A Wireshark trace shows that the ACE refuses an expired certificate. Here is the probe configuration :


probe https NCL_PROBE_HTTPS

description *** Server Health Probe ***

interval 5

faildetect 2

passdetect interval 5

passdetect count 2

receive 4

ssl version all

request method get url /monitor/

expect status 200 200

header User-Agent header-value "Juniper DX 3200"

open 2

expect regex "OK"


I know that I can disable the validation check with an ssl parameter-map, but such a map is only applicable to a ssl-proxy service, not on a probe...


How do I make sure that the probe also ignors the unvalid certificate ?


Thank you for any help


Yves Haemmerli


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Thu, 10/22/2009 - 06:27
User Badges:
  • Bronze, 100 points or more

For the HTTPS probe sent by the ACE, if the server sends the expired certificate, then the ACE rejects that certificate and closes the connection with the RST.

Actions

This Discussion