Forum Discussion
chris_nelson_11
Nimbostratus
Oct 04, 2011client cert format(s)
long time lerker, first time poster (ish),
anyway down to business..what client cert format should i be using to auth an interactive browser ssl session?
ive been busy labbibg this and attempted to use a pfx/pkcs12 cert/private key i generated and converted on the F5 (using the associated openssl commands). imports into host cert store no problems along with F5 default crt file.advertise the default ca to the client and the browser allows me to select the correct cert. added an iRule to log the cert subject and thumbprint (which is working as expected) but shes not working (i cannot see any clear backend connection when i tcp dump the connection ).
Should i be using a different cert format? ran an ssl dump and only had limited insight :-)
cheers,chris
- nitass
Employee
Should i be using a different cert format? ran an ssl dump and only had limited insight :-)i don't think using different cert format makes different. - nitass
Employee
this is mine.[root@iris:Active] tmp b virtual bar list virtual bar { snat automap pool foo destination 172.28.17.33:https ip protocol tcp profiles { myclientssl { clientside } tcp {} } } [root@iris:Active] tmp b pool foo list pool foo { members 10.10.70.110:http {} } [root@iris:Active] tmp b profile myclientssl list profile clientssl myclientssl { defaults from clientssl ca file "myca.crt" client cert ca "myca.crt" peer cert mode require } [root@iris:Active] tmp perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); > print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /config/ssl/ssl.crt/myca.crt --- subject= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com issuer= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com [root@iris:Active] tmp perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /var/tmp/client.crt --- subject= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=client.f5net.com issuer= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com [root@iris:Active] tmp curl -Ik https://172.28.17.33/ curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [root@iris:Active] tmp curl -Ik https://172.28.17.33/ --cert /var/tmp/client.crt --key /var/tmp/client.key HTTP/1.1 200 OK Date: Mon, 10 Oct 2011 05:48:50 GMT Server: Apache/2.0.59 (rPath) Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT ETag: "667a-67-cfb682c0" Accept-Ranges: bytes Content-Length: 103 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 [root@iris:Active] config tcpdump -nni 0.0 port 80 or port 443 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 22:37:56.206922 IP 172.28.16.50.55779 > 172.28.17.33.443: S 1134784783:1134784783(0) win 5840 22:37:56.206975 IP 172.28.17.33.443 > 172.28.16.50.55779: S 336533231:336533231(0) ack 1134784784 win 4380 22:37:56.207366 IP 172.28.16.50.55779 > 172.28.17.33.443: . ack 1 win 46 22:37:56.231964 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1:61(60) ack 1 win 46 22:37:56.232023 IP 172.28.17.33.443 > 172.28.16.50.55779: P 1:899(898) ack 61 win 4380 22:37:56.233346 IP 172.28.16.50.55779 > 172.28.17.33.443: . ack 899 win 60 22:37:56.258822 IP 172.28.16.50.55779 > 172.28.17.33.443: P 61:1487(1426) ack 899 win 60 22:37:56.260844 IP 10.10.72.30.55779 > 10.10.70.110.80: S 2770116511:2770116511(0) win 4380 22:37:56.260919 IP 172.28.17.33.443 > 172.28.16.50.55779: P 899:946(47) ack 1487 win 5866 22:37:56.261254 IP 10.10.70.110.80 > 10.10.72.30.55779: S 1949413990:1949413990(0) ack 2770116512 win 5792 22:37:56.261277 IP 10.10.72.30.55779 > 10.10.70.110.80: . ack 1 win 4380 22:37:56.262251 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1487:1667(180) ack 946 win 60 22:37:56.262353 IP 10.10.72.30.55779 > 10.10.70.110.80: P 1:156(155) ack 1 win 4380 22:37:56.262589 IP 10.10.70.110.80 > 10.10.72.30.55779: . ack 156 win 1716 22:37:56.264550 IP 10.10.70.110.80 > 10.10.72.30.55779: P 1:266(265) ack 156 win 1716 22:37:56.264913 IP 172.28.17.33.443 > 172.28.16.50.55779: P 946:1236(290) ack 1667 win 6046 22:37:56.266389 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1667:1694(27) ack 1236 win 74 22:37:56.266423 IP 10.10.72.30.55779 > 10.10.70.110.80: F 156:156(0) ack 266 win 4645 22:37:56.266429 IP 172.28.17.33.443 > 172.28.16.50.55779: F 1236:1236(0) ack 1694 win 6073 22:37:56.266738 IP 10.10.70.110.80 > 10.10.72.30.55779: F 266:266(0) ack 157 win 1716 22:37:56.266751 IP 10.10.72.30.55779 > 10.10.70.110.80: . ack 267 win 4645 22:37:56.268837 IP 172.28.16.50.55779 > 172.28.17.33.443: F 1694:1694(0) ack 1237 win 74 22:37:56.268884 IP 172.28.17.33.443 > 172.28.16.50.55779: . ack 1695 win 6073 23 packets captured 23 packets received by filter 0 packets dropped by kernel
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects