Forum Discussion

Maria_Carpinter's avatar
Maria_Carpinter
Icon for Nimbostratus rankNimbostratus
Oct 21, 2013

Authenticate clients with server certificate

We've configured a virtual server, with SSL Client profile, in order to authenticate clients with a corporative CA. This CA generates only server certificates, so it doesn't work.

 

When we try to troubleshoot the issue we notice these certificates has the field SSL Client=No, but the load balancer expect a certificate with SSL Client=Yes, so it doesn't mind the CA may validate the certificate, the load balancer discards it. Is there any way to use a server certificate to authenticate a client? Can we skip this verification (SSL client = Yes) with iRules or any other method?

 

Thanks and regards.

 

4 Replies

  • I'd say this is very risky. Even if there was a way (and I don't think there is) you would be modifying the standard operation of a protocol you rely on for security with the possibility of actually weakening your security and possibly leading to unintended consequences.

     

    I would suggest that whatever work is required to allow/change the CA to produce client certificates (or use of a different CA) is preferable to subverting your own security.

     

  • Setting the client certificate authentication in the client SSL profile to "request" instead of "require" should work for you.

    This setting should allow (client) server certificates to pass validation (ie. there is no validation), however it will also allow access without a certificate. To prevent that you may need an iRule like the following:

    when CLIENTSSL_HANDSHAKE {
        if { [SSL::cert count] eq 0 } {
            reject
        }
    }
    
  • Thank you very much, we're going to study the different options to use client certificate.

     

  • Both options, request and require, perform the same function in the SSL handshake - they instruct the client to pass a certificate. The most significant difference between the two modes is what the server (F5) does with the received certificate. The require mode performs strict validation checking (date validity, trust chain compliance, key usage, etc.). The request mode basically does nothing and is typically used in scenarios where some users may not have certificates, or they're allowed to cancel the certificate prompt and still gain access. You must therefore add your own controls (via iRules) to maintain some of the integrity checking that is done automatically in require mode.