Hi,
Thanks for your reply.As per your advise I have removed the ignore-server-auth-failure but still no error on the browser.
root@srx-240-h# show
enable-flow-tracing;
preferred-ciphers medium;
trusted-ca [ 21FEB_GRP 21FEB_GRP_1 ];
root-ca 21FEB;
actions {
log {
all;
sessions-allowed;
}
}
I executed the following commands to re-test
run clear security flow session
run clear services ssl proxy statistics
Traffic is matching the correct policy
root@srx-240-h# run show security policies hit-count
Logical system: root-logical-system
Index From zone To zone Name Policy count
1 UTR UTR ALL 1
2 UTR TR ALL 21
3 TR UTR ALL 51
4 TR UTR HTTPS 1880
My security policies configuration is as follows:
[edit security policies from-zone TR to-zone UTR]
root@srx-240-h# show
policy HTTPS {
match {
source-address any;
destination-address any;
application junos-https ;
}
then {
permit {
application-services {
ssl-proxy {
profile-name SSL_PRFL-1;
}
}
}
}
}
policy ALL {
match {
source-address any;
destination-address any;
application junos-dns-udp;
}
then {
permit;
}
SSL Services statistics are as below
root@srx-240-h# run show services ssl proxy statistics
PIC:fwdd0 fpc[0] pic[0] ------
sessions matched 127
sessions whitelisted 0
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions created 0
sessions ignored 0
sessions active 0
sessions dropped 0
My understanding about below excerot is that it applies to servers that are running self-signed certificate.
If ignore-server-auth-failure is set, then any errors encountered during server
certificate verification at the time of the SSL handshake are ignored.
Commonly ignored errors include the inability to verify CA signature,
incorrect certificate expiration dates, and so forth. If this option is not set,
all the sessions where the server sends self-signed certificates are dropped
if any errors are encountered.
Thanks,
MYN