Forum Discussion
NimbostratusAPM On-Demand Cert Auth failure even though cert exists and is valid
I have a multi-path VPE. The first path is for automated systems which are detected based on client ip and take a branch using that logic. I know this path is working because I already have systems using it. I have the clientssl profile set to "ignore" with the trusted and advertised CA set to my agency bundle. Within the VPE I have an On-Demand Cert Auth immediately following. I have a remote host that is successfully matching the client IP branch and hitting the subsequent cert auth - but failing. APM logs clearly show session.ssl.cert.exist=0 and session.ssl.cert.valid=1.
Why would this host fail the On-demand auth but yet these variables are set in such a fashion? Any ideas?
2 Replies
eric_haupt1Ok - it looks like those are the variables BEFORE The rehandshake... so is it logical to conclude that the server is not presenting a valid cert after the re-handshake? I don't see any other instances of session.ssl.cert.exist or session.ssl.cert.valid - I simply see rehandshake going from "2" to "0" and the Logon_Deny.
I'm assuming this remote host is not using an agency cert. I'd just like to be clear on variable interpretation before I go back with this answer.
ackaljnI've noticed the session.ssl.cert.valid variable values seem backwards. Pulled from a currently connected session that went through a On-Demand Cert Auth:
session.ssl.cert.exist=1
session.ssl.cert.valid=0
session.ssl.cert.whole contains the entire cert, it should exist if the client presents a cert.
I looked at the default successful branch rule for On-Demand Cert Auth and its "expr { [mcget {session.ssl.cert.valid}] == "0" }"
