Certificate validation check with HTTPS probes

Answered Question
Oct 21st, 2009

Hi,

While configuring an HTTPS probe I observe that if the certificate on the target server is expired, the ACE marks the server as PROBE-FAILED. A Wireshark trace shows that the ACE refuses an expired certificate. Here is the probe configuration :

probe https NCL_PROBE_HTTPS

description *** Server Health Probe ***

interval 5

faildetect 2

passdetect interval 5

passdetect count 2

receive 4

ssl version all

request method get url /monitor/

expect status 200 200

header User-Agent header-value "Cisco ACE-4710"

open 2

expect regex "PROBE_OK"

I can disable the expiration date validation check with an ssl parameter-map, but such a map is only applicable to the backend session (on a ssl-proxy service), but not on a https probe...

How do I make sure that my https probe can bypass the certificate validation check ?

Thank you for any help

Yves Haemmerli

Correct Answer by Syed Iftekhar Ahmed about 7 years 4 months ago

With ACE 1.x code this probe wouldn't have failed.

With ACE 2.x code, https probe check the validity of the certificate

send by server.

I don't think there is a way to change this behavior.

HTH

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Syed Iftekhar Ahmed Wed, 10/21/2009 - 01:22

With ACE 1.x code this probe wouldn't have failed.

With ACE 2.x code, https probe check the validity of the certificate

send by server.

I don't think there is a way to change this behavior.

HTH

Syed Iftekhar Ahmed

Actions

This Discussion