Mutual SSL not working as intended?

Question

I have a vip I'm working on. It had 1-way SSL offloading enabled on the it, and I enabled 2-way SSL by creating a Client CA file with 2 domains tuv.com and xyz.com along with their respective CA certs and enabling the file on the client-ssl profile, along with the settings authenticate always, and peer-cert-mode required.

Now the customer is coming back to me saying its not exactly working as intended. If he does a curl to the vip, and he supplies cert abc.com, cacert bundle and key, he's getting through.

something like this

curl --cert abc_com.crt:<password> --key abc_com.key --cacert abc_com-INT.crt https://myvip.com

Now my understanding is that with mutual SSL, only clients with the certs of tuv.com and xyz.com should be allowed to access the vip. I asked the customer to use openssl -s_client to connect to the vip with the credentials for abc.com, but I'm having a hard time trying to tell whether it was or wasn't from the output.

Does anyone know of anything that can explain this behavior?

atoth · Answer

I've tried changing the client ca-file to only have the base certs for tuv.com and xyz.com and not their respective CA certs. This prevents curl access even if you're using the certs for tuv.com and xyz.com.

I'm having a really hard time find documentation for the expected behavior for 2-way SSL. If anyone knows a good source I'd appreciate it.

Besides that, I'd like to know the official purposes of the ca-file and the client ca-file fields in the clientssl profile.

For 2-way, my understanding is that they're act as a whitelist for what client certs can and cannot access the vip. But this seems to not be the case as my post above seems to show. This is either a massive bug, or the intended behavior, and I'm somehow leaning on the latter.

If this is not a way to only allow certain sites to access your vip, what would be the best way to do so?

eric_chen · Answer

The following has a good summary: https://support.f5.com/csp/article/K14783#4

If you want to only allow specific client certificates this is easy to do with Access Policy Manager to query for specific attributes (I.e. CN=123).

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_clientcert_auth.html

otherwise it is possible to do with an iRule. The following non-F5 site has an iRule that appears to do something similar to what you are trying to achieve.

https://developers.docusign.com/esign-rest-api/guides/mutual-tls-f5

Forum Discussion

Mutual SSL not working as intended?

Recent Discussions

Can i apply ddos profile on virtual server using port range

I used the wrong email account when take Application Delivery Exam (101)

F5 iControl REST API - viewBy Parameter Issue in Analytics Report

'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

Disable ssl or https for the embed url

Related Content

Verifying Slack Requests with Mutual TLS

Working with MasterKeys

Selective mutual authentication by HTTP::Host

Sample Slack App for testing Mutual TLS with BIG-IP

NetApp intends to purchase cloud storage ByCast

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS