This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Apigee Edge allows "https" connection to server without certificate

Posted on 09-13-2024 01:23 PM
mark_hammelman
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi, My issue is similar to the discussion on this other thread.

I was told that we had a proxy that was connecting to a backend server, and the backend server did not have a certificate, so I started to do some troubleshooting.

I created a targetServer like this:

 

{
    "host": "revoked.badssl.com",
    "isEnabled": true,
    "name": "badssl-testing",
    "port": 443,
    "sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "false",
        "commonName": {
            "value": "*.badssl.com",
            "wildcardMatch": true
        },
        "enabled": "true",
        "ignoreValidationErrors": false,
        "protocols": [],
        "trustStore": "trustStore-outbound"
    }
}

 

 

 
 The proxy has this TargetConnection defined

 

 

    <HTTPTargetConnection>
        <LoadBalancer>
            <Server name="badssl-testing"/>
        </LoadBalancer>
        <Path/>
    </HTTPTargetConnection>

 

 

 
My browser tells me that "revoked.badssl.com" does not have a certificate, so there shouldn't be anything in the TrustStore ("trustStore-outbound"), nor should the "commonName" match.
mark_hammelman_0-1726257036418.png

However, I still get a '200 OK' response from the proxy.The trace shows that a successful HTTPS connection was established:

mark_hammelman_1-1726259004992.png

 

Have I missed something?  As far as I can tell, this should not be working, yet it does.

 

 

 

Solved Solved
0 3 278
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
nmarkevich
Silver 2
Silver 2
In response to mark_hammelman
Reply posted on --/--/---- --:-- AM

After double-checking, I can confirm that Apigee doesn’t support CRL (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) for revocation checking. This means that Apigee will validate the presented certificate against the trustStore, but it won’t automatically check whether the certificate has been revoked.

To monitor the status of certificates, many organizations rely on corporate CAs, which typically provide notifications for revoked or expired certificates. Additionally, enterprises often use Certificate Lifecycle Management (CLM) platforms, which offer centralized monitoring for revocation, expiration, and other issues. These platforms provide features like automated alerts and revocation status tracking through external APIs or CA endpoints.

Without these built-in checks in Apigee, you’ll need to rely on external monitoring solutions or manual certificate audits to stay informed about the status of your certificates.

View solution in original post

Jump to Solution
Reply
3 REPLIES 3
Top Solution Authors
View all