Forum Discussion

zafer

Nimbostratus

Oct 14, 2009

Client Certificate authentication

Hello

our IIS used Client authentication certificate based.

We want to SSL offload on bigip and support client authentication with bigip

i have two vip 192.168.1.60:http and 192.168.1.https

two pool http_pool: 192.168.0.160:http and https_pool : 192.168.0.160:https

i have two SSL profile, Client and Server SSL profile

imported customer domain certificate, key and CA certificate

here is the Client SSL profile

cert file: customer cert

key file :customer key file

Chain : customer Ca certificate

Trusted Certificate Authorities : customer Ca certificate

Client authentication Section : Request

on the SSL profile ;

cert file: customer cert

key file :customer key file

Chain : customer Ca certificate

Notes: if i dont enable Trusted Certificate Authorities and Client authentication mode require i dont see any error packet does not goes to backend server

with this configuration i can see packet goes to IIS but i see HTTP 403.16 error

regarding irule ; not hits

when CLIENTSSL_CLIENTCERT {

set cert [SSL::cert 0]

session add ssl [SSL::sessionid] $cert 600

}

when HTTP_REQUEST {

set client_cert [session lookup ssl [SSL::sessionid]]

if { $client_cert eq ""} {

SSL::renegotiate

} else {

set whole [X509::whole $client_cert]

log local0. "Inserting client cert in SSL_CLIENT_CERT $whole"

HTTP::header insert SSL_CLIENT_CERT $whole

}

19 Replies

hooleylist
Cirrostratus
Oct 14, 2009
Hi Zafer,

Thanks for providing the additional details on your scenario. If IIS is sending a 403.16 it means the client cert configured in the server SSL profile is incorrect. You can either install a valid client cert for the server SSL profile or disable client cert checking on the IIS server.

Once you get the server side portion of the connection working, you can retest the client side.

Aaron
zafer
Nimbostratus
Oct 14, 2009
Hi Aaron

what can be wrong on server ssl profile, it same like client ssl profile, you mean do i need to change on server authentication in server ssl profile?

the customer does not want disable anythin on IIS

regards

zafer
hooleylist
Cirrostratus
Oct 14, 2009
If you install the same client cert in a browser and connect directly to IIS do you get the error from IIS?

Aaron
zafer
Nimbostratus
Oct 15, 2009

its working properly client --> IIS

also if i disable ssl offload and make 443 load balance on bigip it works properly but we want do SSL offload and compress to http data, we must enable SSL profile

regards

zafer
Zafer_101134
Nimbostratus
Oct 15, 2009
Hello

another info when i log cert in to ltm logs i dont see whole client certificate, bigip cuts the certificate

what can be problem

zafer
hooleylist
Cirrostratus
Oct 15, 2009
Hi Zafer,

If the same client cert/key is working on a browser then it's most likely the LTM server SSL profile configuration that is the problem. Can you print out the actual serverssl profile using 'b profile serverssl PROFILE_NAME list all'? You can change the names of certs, etc to keep it anonymous.

Also, the LTM log file is limited in size. I'd guess the cert is longer than the max log entry size.

Aaron
Mandrake
Nimbostratus
Jun 09, 2010
Hi,

How i can redirect users who dont have certificate installed to say CA server or any public url for testing ??
hooleylist
Cirrostratus
Jun 09, 2010
Hi Prashant,

Are you referring to client SSL certificates? If so, how are you currently handling the client certs? Are you using the Advanced Client Auth module on LTM to request or require a client cert? If so, you'd want to add a check in CLIENTSSL_CLIENTCERT after requesting a client cert to see if the client presented a valid cert. If not, redirect them to a new URL.

Also, which LTM version are you running?

Thanks, Aaron
Mandrake
Nimbostratus
Jun 11, 2010
Hi Aaron,

Thanks for you reply, yes i am referring to client SSL certtificates, I am autheticating my clients with "require" option in SSL profile, module am using is ACA bundled with ASM, i did exactly what you are suggesting, that's to redirect if client does not present cert, however i was unable to use commands like redirect or respond under CLIENTSSL_CLIENTCERT event, so i created another event in same rule HTTP_REQUEST to pass on the global variable and use it to redirect, it doesn't work with Require option, probably cozz this option drops the connection itself, and not going to HTTP_REQUEST stage, though it worked with Request option, now i am just trying to think if it poses any risks !!! Any suggestions !!!

Cheers !

Prashant
hooleylist
Cirrostratus
Jun 11, 2010
If you use 9.4.8HF3 or HF4, you can use HTTP::respond to send a response from CLIENTSSL_HANDSHAKE:

CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE

Also I wouldn't suggest using a global variable for this as the value will be trampled by all other connections.

Aaron