Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate validation check with HTTPS probes

Hi,

While configuring an HTTPS probe I observe that if the certificate on the target server is expired, the ACE marks the server as PROBE-FAILED. A Wireshark trace shows that the ACE refuses an expired certificate. Here is the probe configuration :

probe https NCL_PROBE_HTTPS

description *** Server Health Probe ***

interval 5

faildetect 2

passdetect interval 5

passdetect count 2

receive 4

ssl version all

request method get url /monitor/

expect status 200 200

header User-Agent header-value "Cisco ACE-4710"

open 2

expect regex "PROBE_OK"

I can disable the expiration date validation check with an ssl parameter-map, but such a map is only applicable to the backend session (on a ssl-proxy service), but not on a https probe...

How do I make sure that my https probe can bypass the certificate validation check ?

Thank you for any help

Yves Haemmerli

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Certificate validation check with HTTPS probes

With ACE 1.x code this probe wouldn't have failed.

With ACE 2.x code, https probe check the validity of the certificate

send by server.

I don't think there is a way to change this behavior.

HTH

Syed Iftekhar Ahmed

2 REPLIES

Re: Certificate validation check with HTTPS probes

With ACE 1.x code this probe wouldn't have failed.

With ACE 2.x code, https probe check the validity of the certificate

send by server.

I don't think there is a way to change this behavior.

HTH

Syed Iftekhar Ahmed

New Member

Re: Certificate validation check with HTTPS probes

Thanks again Syed

Yves

523
Views
0
Helpful
2
Replies