Forum Discussion

Alexander_Polya's avatar
Alexander_Polya
Icon for Nimbostratus rankNimbostratus
Jan 12, 2018

APM On-Demand Cert Auth agent resets the connection when handshake timeout occurs.

Platform: 13.1

 

SSL client profile: Client Certificate set to Ignore

 

APM Policy: On-demand Cert auth agent rule on first line and set to «Request»

 

In my scenario, I using smartcard with APM policy and On-demand Cert auth Agent. For example, I choose the certificate for authentication but do not have time to enter the PIN-code (smartcard) and handshake timeout occurred (default is 10 sec.). After that, a blank page appears in the browser (Ive tested IE and Chrome last version). The user may think that the service is unavailable. I`ve found the workaround: extend handshake timeout in Client SSL profile. Nevertheless, according to F5 knowledgebase it is not good practice, because of secure attack risk.

 

However, when I set SSL Client Profile to ask certificate (Clint Certificate Request option) - the problem does not recur. I consciously set handshake timeout to 1 sec.

 

Does this mean that the APM On-demand Cert Auth Agent is not working correctly?

 

  • Hi Alexander.

     

    I already deployed this kind of implémentation. And just like you, I had to increase the timeout. Indeed as explain F5 it is not good practice, because of secure attack risk.

     

    Take back your use case: SSL Client Profile to ask certificate (Client Certificate Request option):

     

    I think it's normal that it works, you set s the way the system handles client certificates to "Request", That's mean that the system requests a valid certificate from a client but always authenticate the client, whether you provide him with a certificate or not.

     

    on the other hand if you would have configured it to " REQUIRE ", after 10 seconds without provide cert (smartcard) you will have a blank page... Timeout.

     

    So for me the behaviour that you encounter is normal!!! and APM On-demand Cert Auth Agent is working correctly.

     

    In general when we used Cert auth (in the majority of use cases) we do not need any manipulation of the user except the cert selection of course. In your cas you have smartcard and maybe an otp to enter. so you have to take into account the user behavior and the latency that it causes so your 10 seconds of timeout will not be appropriate in your case.

     

    Let me now if you need additional information.

     

    Regars,