Forum Discussion

M_187467's avatar
M_187467
Icon for Nimbostratus rankNimbostratus
Jan 13, 2016

Is it possible to create SNI profile enabling ondemand certificate authentication

Hello friends,

 

Is it possible to use SNI profile in the VIP with ondemand certificate authentication.

 

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/VIP_x.x.x.x_HTTPS.

 

I have a requirement where multiple applications hosted on same VIP configured with SNI, should be enabled with ondemand certificate authentication.

 

Please help.

 

SAM

 

application delivery
BIG-IP
LTM

6 Replies

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2016

    Two different things here

    TLS SNI - This technology establishes a prodecudre for the Server (BigIP) to select the most appropriate Public SSL certificate to authenticate itself to the Client on a given Listener (Virual Server).

    Certificate Authentication (SSL Mutual Authentication) - This option specifies if a Client must authenticate itself to the Server (BigIP).

    Now to come to your question, "Is it possible to create SNI profile enabling ondemand certificate authentication?"

    • I can confirm that TLS SNI and SSL-MA can co-exist together, but you probably already know that.
    • What may be new to you is that such concept as 
      on-demand
      doesn't exist in the SSL Mutual Authentication standard. Your options for SSL-MA implementation come down to 
      Required
      or 
      Not Required
      . Required method specifies that the SSL handshake will fail and the Client Request will not be processed, unless Client actually presents a correct certificate. In case of the second option, Client will be prompted to provide a certificate, but a failure to present a correct certificate will not result in a SSL handshake failure.

    The second option (Not Required) may be better if you wish to issue a HTTP redirect to a customer-friendly page which states the reason for failure, and lists some useful information, such as the instructions to obtain a Client Auth certificate. I like it better than having my customers be confused about the odd-looking SSL error.

    Regards,

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Jan 13, 2016
      For the second option, you will need an iRule on top of your custom ClientSSL profile (TLS-SNI & SSL-MA enabled). In an iRule, you can check if the correct Client Cert was provided by comparing Serial Numbers. In case of bigger implementations, I manage Client Certificate Serial Numbers in LTM data-group. I'm sure there are many other ways, but this is what has worked for me so far. Now that the hard part is done, issuing a HTTP redirect in an iRule should be straight-forward.
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jan 13, 2016

    Two different things here

    TLS SNI - This technology establishes a prodecudre for the Server (BigIP) to select the most appropriate Public SSL certificate to authenticate itself to the Client on a given Listener (Virual Server).

    Certificate Authentication (SSL Mutual Authentication) - This option specifies if a Client must authenticate itself to the Server (BigIP).

    Now to come to your question, "Is it possible to create SNI profile enabling ondemand certificate authentication?"

    • I can confirm that TLS SNI and SSL-MA can co-exist together, but you probably already know that.
    • What may be new to you is that such concept as 
      on-demand
      doesn't exist in the SSL Mutual Authentication standard. Your options for SSL-MA implementation come down to 
      Required
      or 
      Not Required
      . Required method specifies that the SSL handshake will fail and the Client Request will not be processed, unless Client actually presents a correct certificate. In case of the second option, Client will be prompted to provide a certificate, but a failure to present a correct certificate will not result in a SSL handshake failure.

    The second option (Not Required) may be better if you wish to issue a HTTP redirect to a customer-friendly page which states the reason for failure, and lists some useful information, such as the instructions to obtain a Client Auth certificate. I like it better than having my customers be confused about the odd-looking SSL error.

    Regards,

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Jan 13, 2016
      For the second option, you will need an iRule on top of your custom ClientSSL profile (TLS-SNI & SSL-MA enabled). In an iRule, you can check if the correct Client Cert was provided by comparing Serial Numbers. In case of bigger implementations, I manage Client Certificate Serial Numbers in LTM data-group. I'm sure there are many other ways, but this is what has worked for me so far. Now that the hard part is done, issuing a HTTP redirect in an iRule should be straight-forward.
  • M_2's avatar
    M_2
    Icon for Altocumulus rankAltocumulus
    Jan 17, 2016

    Hello Hannes,

     

    Thanks for the response, i have tried creating two clientssl profiles enabling client authentication as below and have tried using both the profiles to a single VIP (enabled SNI).

     

    I get the below error when i do so . Error : 0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server /Common/VIP_x.x.x.x_HTTPS.

     

    Any suggestions to avoid this

     

    SAM

     

  • Aviv's avatar
    Aviv
    Icon for Cirrus rankCirrus
    Jan 17, 2016

    How can I configure an ssl client profile to use 2 Advertised Certificate Authorities?