Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Nov 01, 2021

client authintication - LTM

i'm trying to apply client authentication using certificate where the certificate is required otherwise you can't view the link . the public certificate is installed from client side and the private one configured in WAF . I'm using below irule to achieve that :

 when HTTP_REQUEST {

 

if {[HTTP::uri] starts_with "/mylink/" } {

 

 if {[SSL::cert count] <= 0 } {

 

 HTTP::collect

 SSL::authenticate always

 SSL::authenticate depth 9

SSL::cert mode require

 SSL::renegotiate

 }

 }

 }

 

but I got SSL handshake error as warning in WAF , so is there any error in above rule? or it required another setup in SSL profile ? note that i have different Urls which require different certificate but all of them under /mylink/ , for certificates i have one profile contain all the required certificates.

application delivery
ASM Advanced WAF
devops
LTM
  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Nov 02, 2021

    when your irules work (LTM initiate SSL HelloRequest require client initiate new SSL connection to LTM), client attempt SSL::renegotiate(client bring its clientcert) to LTM, you should HTTP::release clientside HTTP traffic :

     

    when CLIENTSSL_HANDSHAKE {

     if { [SSL::cert count] > 0 } {

      HTTP::release

     }

    }

    when HTTP_REQUEST {

     if {[HTTP::uri] starts_with "/mylink/" } {

      if {[SSL::cert count] == 0} {

       HTTP::collect

       SSL::session invalidate

       SSL::authenticate always

       SSL::authenticate depth 9

       SSL::cert mode require

       SSL::renegotiate enable

       SSL::renegotiate

      }

     }

    }

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous
      Nov 03, 2021

      In clientssl profile, renegotiation should be enabled. Also, in client authentication part under Trusted Certificate Authorities select intermediate/issuer certificate of client certificate.

       

      You can also modify the iRule if requirement is to parse client cert subjectDN and allow access to it or add it as header to send it to pool member for authorization.

      • THE_BLUE's avatar
        THE_BLUE
        Icon for Cirrostratus rankCirrostratus
        Nov 04, 2021

        Renegotiation is enabled and i have test the connection using soapUI but I got an error " javax.net.ssl.SSLException: Connection reset

        is there another option to test?

  • spalande's avatar
    spalande
    Icon for Nacreous rankNacreous
    Nov 05, 2021

    Does SOAP UI have required client certificate for testing? Capture tcpdump/ssldump to analyse where it's breaking.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus
      Nov 05, 2021

      yes, the idea is i have api link which required client authentication. in soap ui i have attached the certificate and request the api but there is no response and i got the above error.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP
        Nov 07, 2021

        have you confirmed with a tcpdump the server requests the cert and client cert is send as expected?

         

        you can also try with another client like curl or such to test.