Interface Behavior with invalid TLS Cert for 'Server certificate verification'
Hello,
I was just trying to get to the bottom of a TLS config - we have an interface with a TLS config that has had 'Server certificate verification' set to 'On', however the cert file specified either did not exist or contained a cert that was expired.
Does anyone know what the behavior is for this typically? I would expect this to not allow traffic on the interface, however this has been working fine for a few years now with an invalid cert specified for 'Server certificate verification' and set to 'On'.
.png)
Comments
If the TLS configuration is a client configuration and Server certificate verification is set to Require, the connection is supposed to continue only if certificate verification succeeds. If verification does not succeed, the connection should not continue. [1]
The trusted CA file you specify is the file used to verify the peer certificate: “The configuration uses the certificates of the trusted CA(s) to verify peer certificates.” So if that file is wrong, missing, or otherwise unusable, that directly affects peer-certificate verification. [1]
The material also states that an expired certificate prevents establishing a TLS connection: “Once a certificate expires, you will no longer be able to establish a TLS connection with it.” [2]
So from the available documentation, the expected behavior is that traffic should not continue when verification is required and the server certificate cannot be successfully verified. [1][2]
If your interface has still been working for years, the returned documents do not explain that specific discrepancy. The only closely related comment in the retrieved material says that for some setups, “Server certificate verification” is typically set to “None”, and if it is set to “Require” it can cause rejection/failure, but that is a community comment rather than formal product documentation. [3]
Note: If the private key is password-protected and you do not enter a value here, InterSystems IRIS cannot confirm that the private key and the certificate’s public key match each other; this can result in mismatched keys being saved as a key pair. [1]
Note: The required fields vary, depending on whether the configuration is to be a client or server and on the desired features. Not all fields are required for all TLS configurations. [1]
Note: The Test button may not be able to successfully connect with all TLS servers, even if the configuration has no errors. When testing, the connection attempt performs a TLS handshake followed by an HTTP request. Tests may fail when the target server does not expect to immediately make a TLS handshake connection. [1]
Sources: