For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eric_Frankenfie's avatar
Eric_Frankenfie
Icon for Nimbostratus rankNimbostratus
Feb 14, 2013

Client SSL Authentication

I have a virtual server using a client SSL profile to offload SSL processing, but I would like to take this a step further and require SSL client authentication to prevent man in the middle attacks. Each customer would be required to have their own SSL certificate to authenticate the requests and all requests without a client authentication certificate would be dropped.

 

Virtual_Server_A --> SSL_Client_Profile_A --> Pool_A

 

Customer_A would have a certificate SSL_Auth_A

 

Customer_B would have a certificate SSL_Auth_B

 

Customer_C would have a certificate SSL_Auth_C

 

I am currently running version 10.2

 

How would I accomplish this?

 

config
design

11 Replies

Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 16, 2014

    I got certificate from Client (Bank) which is self signed by openssl from Client LAPTOP. then how can have find root CA to select or how can I find CA as it was self signed.

    isn't ca client certificate itself (because it is self-signed)?

    [root@centos1 ~] openssl x509 -in client_a.crt -noout -subject -issuer
subject= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
issuer= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd

    when I enable ' Client Certificate' > to ignore it works but when I enable ' Client Certificate' to require, it does not work

    e.g.

     configuration

root@ve10(Active)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.9:https
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        myclientssl {
            context clientside
        }
        serverssl {
            context serverside
        }
        tcp { }
    }
    snat automap
}
root@ve10(Active)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    ca-file client_a.crt
    defaults-from clientssl
    peer-cert-mode require
}

 self-signed certificate

[root@ve10:Active] config  openssl x509 -in /config/ssl/ssl.crt/client_a.crt -noout -subject -issuer
subject= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
issuer= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd

 test

[root@centos1 ~] curl -Ik https://172.28.24.9/ --cert client_a.crt --key client_a.key
HTTP/1.1 200 OK
Date: Sun, 16 Nov 2014 05:28:56 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT
ETag: "41879c-59-2a9c23c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8