Forum Discussion

chris_nelson_11's avatar
chris_nelson_11
Icon for Nimbostratus rankNimbostratus
Oct 04, 2011

client cert format(s)

long time lerker, first time poster (ish),

 

 

anyway down to business..what client cert format should i be using to auth an interactive browser ssl session?

 

 

ive been busy labbibg this and attempted to use a pfx/pkcs12 cert/private key i generated and converted on the F5 (using the associated openssl commands). imports into host cert store no problems along with F5 default crt file.advertise the default ca to the client and the browser allows me to select the correct cert. added an iRule to log the cert subject and thumbprint (which is working as expected) but shes not working (i cannot see any clear backend connection when i tcp dump the connection ).

 

 

Should i be using a different cert format? ran an ssl dump and only had limited insight :-)

 

 

cheers,chris
  • Should i be using a different cert format? ran an ssl dump and only had limited insight :-)i don't think using different cert format makes different.

     

     

    by the way, i am not quite clear what problem is. would u mind explaining a little bit more? also, it might be great if u can post your config here.
  • this is mine.

    [root@iris:Active] tmp  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.17.33:https
       ip protocol tcp
       profiles {
          myclientssl {
             clientside
          }
          tcp {}
       }
    }
    [root@iris:Active] tmp  b pool foo list
    pool foo {
       members 10.10.70.110:http {}
    }
    [root@iris:Active] tmp  b profile myclientssl list
    profile clientssl myclientssl {
       defaults from clientssl
       ca file "myca.crt"
       client cert ca "myca.crt"
       peer cert mode require
    }
    
    [root@iris:Active] tmp  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
    > print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /config/ssl/ssl.crt/myca.crt
    ---
    subject= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com
    issuer= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com
    
    [root@iris:Active] tmp  perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
    print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /var/tmp/client.crt
    ---
    subject= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=client.f5net.com
    issuer= /C=us/ST=wa/L=seattle/O=f5net/OU=ps/CN=ca.f5net.com
    
    [root@iris:Active] tmp  curl -Ik https://172.28.17.33/
    curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
    
    [root@iris:Active] tmp  curl -Ik https://172.28.17.33/ --cert /var/tmp/client.crt --key /var/tmp/client.key
    HTTP/1.1 200 OK
    Date: Mon, 10 Oct 2011 05:48:50 GMT
    Server: Apache/2.0.59 (rPath)
    Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
    ETag: "667a-67-cfb682c0"
    Accept-Ranges: bytes
    Content-Length: 103
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8
    
    [root@iris:Active] config  tcpdump -nni 0.0 port 80 or port 443
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    22:37:56.206922 IP 172.28.16.50.55779 > 172.28.17.33.443: S 1134784783:1134784783(0) win 5840 
    22:37:56.206975 IP 172.28.17.33.443 > 172.28.16.50.55779: S 336533231:336533231(0) ack 1134784784 win 4380 
    22:37:56.207366 IP 172.28.16.50.55779 > 172.28.17.33.443: . ack 1 win 46 
    22:37:56.231964 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1:61(60) ack 1 win 46 
    22:37:56.232023 IP 172.28.17.33.443 > 172.28.16.50.55779: P 1:899(898) ack 61 win 4380 
    22:37:56.233346 IP 172.28.16.50.55779 > 172.28.17.33.443: . ack 899 win 60 
    22:37:56.258822 IP 172.28.16.50.55779 > 172.28.17.33.443: P 61:1487(1426) ack 899 win 60 
    22:37:56.260844 IP 10.10.72.30.55779 > 10.10.70.110.80: S 2770116511:2770116511(0) win 4380 
    22:37:56.260919 IP 172.28.17.33.443 > 172.28.16.50.55779: P 899:946(47) ack 1487 win 5866 
    22:37:56.261254 IP 10.10.70.110.80 > 10.10.72.30.55779: S 1949413990:1949413990(0) ack 2770116512 win 5792 
    22:37:56.261277 IP 10.10.72.30.55779 > 10.10.70.110.80: . ack 1 win 4380 
    22:37:56.262251 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1487:1667(180) ack 946 win 60 
    22:37:56.262353 IP 10.10.72.30.55779 > 10.10.70.110.80: P 1:156(155) ack 1 win 4380 
    22:37:56.262589 IP 10.10.70.110.80 > 10.10.72.30.55779: . ack 156 win 1716 
    22:37:56.264550 IP 10.10.70.110.80 > 10.10.72.30.55779: P 1:266(265) ack 156 win 1716 
    22:37:56.264913 IP 172.28.17.33.443 > 172.28.16.50.55779: P 946:1236(290) ack 1667 win 6046 
    22:37:56.266389 IP 172.28.16.50.55779 > 172.28.17.33.443: P 1667:1694(27) ack 1236 win 74 
    22:37:56.266423 IP 10.10.72.30.55779 > 10.10.70.110.80: F 156:156(0) ack 266 win 4645 
    22:37:56.266429 IP 172.28.17.33.443 > 172.28.16.50.55779: F 1236:1236(0) ack 1694 win 6073 
    22:37:56.266738 IP 10.10.70.110.80 > 10.10.72.30.55779: F 266:266(0) ack 157 win 1716 
    22:37:56.266751 IP 10.10.72.30.55779 > 10.10.70.110.80: . ack 267 win 4645 
    22:37:56.268837 IP 172.28.16.50.55779 > 172.28.17.33.443: F 1694:1694(0) ack 1237 win 74 
    22:37:56.268884 IP 172.28.17.33.443 > 172.28.16.50.55779: . ack 1695 win 6073 
    
    23 packets captured
    23 packets received by filter
    0 packets dropped by kernel