Forum Discussion

xunil321_122934's avatar
xunil321_122934
Icon for Nimbostratus rankNimbostratus
Oct 02, 2014

Client cert for specific URIs: TLSv1.0 vs TLSv1.2

Dear all,   under 11.4.1 we are using an irule to require client cert   on specific URIs (visiting other pages clients are allowed to   proceed without any cert). When ONLY TLSv1.0 is enabl...
xunil321_122934's avatar
xunil321_122934
Icon for Nimbostratus rankNimbostratus
Oct 07, 2014
Meanwhile we compared the two ltm logs. 1st is the log where the client (IE 11) is offering TLSv1.0. Everything is working fine ie accessing the protected /Docs page requires the client's cert as stated in our iRule: ... ... Rule /Common/irule__uris : HTTP_REQUEST:START /Docs Rule /Common/irule__uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule__uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule__uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule__uris : PROTECTED: START /Docs Rule /Common/irule__uris : Certificate Protectd Cert Count: 0 Rule /Common/irule__uris : Certificate Protectd Cert Mode: ignore Rule /Common/irule__uris : PROTECTED: CERT COUNT 0: START Renegotiation for uri /Docs Rule /Common/irule__uris : Content Length: Rule /Common/irule__uris : PROTECTED: renegotiated Cert Count: 0 Rule /Common/irule__uris : PROTECTED: renegotiated Cert Result: 0 Rule /Common/irule__uris : SSL Handshake completed Rule /Common/irule__uris : Cert Count: 2 **************************************************************************** Rule /Common/irule__uris : Certificate Mode: require **************************************************************************** Rule /Common/irule__uris : SSL::authenticate require detected Rule /Common/irule__uris : HTTP::release Rule /Common/irule__uris : xxx.xxx.xxx.xxx:55776: cert 0; subject=CN=xxx xxx,OU=End Users,OU=xxx,O=xxxxxxx; CN=xxx SubCA-001,OU=PKI Components,OU=xxx,O=xxxxxxxx;cert_serial=77:27:d5:a1:42:a1:74:48:54:11:91:22:49:db:d6:db; Rule /Common/irule__uris : xxx.xxx.xxx.xxx:55776: cert 1; subject=CN=xxx SubCA-001,OU=PKI Components,OU=xxx,O=xxx; CN=xxxx RootCA,OU=PKI Components,OU=xxx,O=xxx;cert_serial=67:60:b9:ff:f5:f1:6b:c1:53:32:c7:47:50:75:24:b0; Rule /Common/irule_uris : HTTP_REQUEST:START /Docs/default.aspx Rule /Common/irule_uris : HTTP_REQUEST:START /Docs/default.aspx Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : PROTECTED: START /Docs/default.aspx Rule /Common/irule_uris : Certificate Protectd Cert Count: 2 Rule /Common/irule_uris : Certificate Protectd Cert Mode: require Rule /Common/irule_uris : PROTECTED: CERT-SUCCESS: Client certificate provided, cert count: 2 Rule /Common/irule_ader : Replace host header to xxx.xxx.xxx.xxx Rule /Common/irule_uris : HTTP_REQUEST:START /SiteAssets/EMIS-LOGO-04.png Rule /Common/irule_uris : HTTP_REQUEST:START /SiteAssets/EMIS-LOGO-04.png Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : UNPROTECTED: Certificate Unprotected URI: /SiteAssets/EMIS-LOGO-04.png .... 2nd is the log where the client (IE 11) is offering TLSv1.2. By accessing the protected /Docs page there is no 'Certificate Mode: require' entry as expected by the iRule. Therefore the SSL handshake fails: .... .... Rule /Common/irule_uris : HTTP_REQUEST:START /Docs Rule /Common/irule_uris : HTTP_REQUEST:START /Docs Rule /Common/irule_uris : HTTP_REQUEST Cypher name: AES256-SHA Rule /Common/irule_uris : HTTP_REQUEST Cypher version: TLSv1.2 Rule /Common/irule_uris : HTTP_REQUEST Cypher bits: 256 Rule /Common/irule_uris : PROTECTED: START /Docs Rule /Common/irule_uris : Certificate Protectd Cert Count: 0 Rule /Common/irule_uris : Certificate Protectd Cert Mode: ignore Rule /Common/irule_uris : PROTECTED: CERT COUNT 0: START Renegotiation for uri /Docs Rule /Common/irule_uris : Content Length: Rule /Common/irule_uris : PROTECTED: renegotiated Cert Count: 0 Rule /Common/irule_uris : PROTECTED: renegotiated Cert Result: 0 info tmm[8912]: 01260013:6: SSL Handshake failed for TCP from xxx.xxx.xxx.xxx:55817 to xxx.xxx.xxx.xxx:443 Any idea why?