Forum Discussion
Nimbostratusclient accept based on cert
hi,
Could someone please tell me how I control which clients can access the virtual server based on the client cert presented. I see a section within the client SSL Profile -> client authentication window. will selecting client certificate required act as a cert check which the client will be disconnected if the client cert signature does not match that of the F5 installed third party cert? Do I also need to add a 'Trusted cert authority which in this case would be the third party cert installed on the F5?
Cheers
4 Replies
Right. If you add a trusted CA bundle, then any certs signed by the certs in your bundle will be allowed, others will be denied.
- Seeing your added comment, then you probably want to use APM: https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17063.html
Deee-blue_14536I should add the aim of this configuration is to only allow clients who have a cert installed that matches one of the URLs listed in the SAN cert installed on the F5 from the same cert authority. Forgive me for any obvious errors as I'm not an expert on Certs.- Kevin_Stewart
Employee
If I may add,
I should add the aim of this configuration is to only allow clients who have a cert installed that matches one of the URLs listed in the SAN cert installed on the F5 from the same cert authority. Forgive me for any obvious errors as I'm not an expert on Certs.
If I understand you correctly, you want to match the client server to attributes of the server cert. That's not generally how mutually-authenticated SSL works. Here's a quick, simplified synopsis of the SSL handshake process (I'll assume an RSA key exchange here):
Client Hello --> <-- Server Hello <-- Certificate <-- Certificate Request <-- Server Hello Done Certificate --> Client Key Exchange --> Certificate Verify --> Change Cipher Spec --> Finished --> <-- Change Cipher Spec <-- FinishedThis is what an SSL handshake generally looks like when you enable client certificate authentication in the client SSL profile. In basically all SSL handshake patterns, the server's second message is its server certificate to the client. At this point the client must validate the server's certificate, which it does so by a) verifying certificate integrity (structure, expiration dates, subject name match, and acceptable constraints), and b) establishing a "trust chain" from the server's certificate to an explicitly trusted (i.e. installed) CA, and any subordinate CAs in between. If the client cannot succeed in any of the above, the user will usually get an "untrusted certificate" error in the browser. Assuming that works, the server indicates that it wants a client certificate, and the client promptly sends one. The server (BIG-IP in this case) must perform the same validations. The trust chain is determined by the CA certificate defined in the Trusted Certificate Authorities bundle in the client SSL profile. Depending how you have the Client Authentication option set (request or require), the BIG-IP can or must be able to build the complete chain to continue, respectively. All of the above boils down to two things:
-
The minimum requirement for mutually-authenticated SSL is the Client Authentication enabled and set to either request or require, and the inclusion of a Trusted Certificate Authorities bundle in the client SSL profile.
-
The server certificate that you use in the client SSL profile has absolutely nothing to do with how the BIG-IP validates the client certificate.
-
The server certificate that you use in the client SSL profile has absolutely nothing to do with how the client selects and sends a client certificate.
There is no mechanism to "only allow clients who have a cert installed that matches one of the URLs listed in the SAN cert installed on the F5 from the same cert authority". You can present an acceptable certificate authorities list to the client, in the server's Certificate Request message, by introducing an Advertised Certificate Authorities bundle in the client SSL profile, but that simply tells the client from which CAs it will accept an issued client certificate.
-
