Forum Discussion
zafer
Nimbostratus
NimbostratusClient Certificate authentication
Hello
our IIS used Client authentication certificate based.
We want to SSL offload on bigip and support client authentication with bigip
i have two vip 192.168.1.60:http and 192.168.1.https
two pool http_pool: 192.168.0.160:http and https_pool : 192.168.0.160:https
i have two SSL profile, Client and Server SSL profile
imported customer domain certificate, key and CA certificate
here is the Client SSL profile
cert file: customer cert
key file :customer key file
Chain : customer Ca certificate
Trusted Certificate Authorities : customer Ca certificate
Client authentication Section : Request
on the SSL profile ;
cert file: customer cert
key file :customer key file
Chain : customer Ca certificate
Notes: if i dont enable Trusted Certificate Authorities and Client authentication mode require i dont see any error packet does not goes to backend server
with this configuration i can see packet goes to IIS but i see HTTP 403.16 error
regarding irule ; not hits
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 600
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
set whole [X509::whole $client_cert]
log local0. "Inserting client cert in SSL_CLIENT_CERT $whole"
HTTP::header insert SSL_CLIENT_CERT $whole
}
}
19 Replies
hoolioCirrostratus
Hi Zafer,
Thanks for providing the additional details on your scenario. If IIS is sending a 403.16 it means the client cert configured in the server SSL profile is incorrect. You can either install a valid client cert for the server SSL profile or disable client cert checking on the IIS server.
Once you get the server side portion of the connection working, you can retest the client side.
Aaron
zaferHi Aaron
what can be wrong on server ssl profile, it same like client ssl profile, you mean do i need to change on server authentication in server ssl profile?
the customer does not want disable anythin on IIS
regards
zafer- hoolioIf you install the same client cert in a browser and connect directly to IIS do you get the error from IIS?
Aaron - zafer
its working properly client --> IIS
also if i disable ssl offload and make 443 load balance on bigip it works properly but we want do SSL offload and compress to http data, we must enable SSL profile
regards
zafer 
Zafer_101134Hello
another info when i log cert in to ltm logs i dont see whole client certificate, bigip cuts the certificate
what can be problem
zafer- hoolioHi Zafer,
If the same client cert/key is working on a browser then it's most likely the LTM server SSL profile configuration that is the problem. Can you print out the actual serverssl profile using 'b profile serverssl PROFILE_NAME list all'? You can change the names of certs, etc to keep it anonymous.
Also, the LTM log file is limited in size. I'd guess the cert is longer than the max log entry size.
Aaron - MandrakeHi,
How i can redirect users who dont have certificate installed to say CA server or any public url for testing ?? - hoolioHi Prashant,
Are you referring to client SSL certificates? If so, how are you currently handling the client certs? Are you using the Advanced Client Auth module on LTM to request or require a client cert? If so, you'd want to add a check in CLIENTSSL_CLIENTCERT after requesting a client cert to see if the client presented a valid cert. If not, redirect them to a new URL.
Also, which LTM version are you running?
Thanks, Aaron - MandrakeHi Aaron,
Thanks for you reply, yes i am referring to client SSL certtificates, I am autheticating my clients with "require" option in SSL profile, module am using is ACA bundled with ASM, i did exactly what you are suggesting, that's to redirect if client does not present cert, however i was unable to use commands like redirect or respond under CLIENTSSL_CLIENTCERT event, so i created another event in same rule HTTP_REQUEST to pass on the global variable and use it to redirect, it doesn't work with Require option, probably cozz this option drops the connection itself, and not going to HTTP_REQUEST stage, though it worked with Request option, now i am just trying to think if it poses any risks !!! Any suggestions !!!
Cheers !
Prashant - hoolioIf you use 9.4.8HF3 or HF4, you can use HTTP::respond to send a response from CLIENTSSL_HANDSHAKE:
CR125264 - HTTP::respond should be allowed in CLIENTSSL_HANDSHAKE
Also I wouldn't suggest using a global variable for this as the value will be trampled by all other connections.
Aaron
