Forum Discussion

mreco_159588's avatar
mreco_159588
Icon for Cirrus rankCirrus
Apr 14, 2017

RDP connection via application access fails when client certificate is set to require

I've set up a VIP with a client SSL profile that requires a certificate. The access policy on this VIP has some resource assignments: network access, rdp application access and rdp via app tunnel access. All of these resources work just fine, except the rdp application access. The connection is not established and the handshake gives this failure:

TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 0
    Handshake Protocol: Client Key Exchange

However, another resource works just fine:

TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 2647
    Handshake Protocol: Client Key Exchange

In the first capture, the certificate length is 0. In the second one it is 2647.

Now, I've set the client SSL profile to 'request' and all resources work just fine.

Can someone shed some light on this issue? Why does it fail when set to 'require'?

application delivery
BIG-IP Access Policy Manager (APM)
client ssl profile
LTM
rdp
  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 19, 2017

    If the Client presenting a valid certificate ?

     

    If its not SSL handshaking when its set to "Require", that would suggest not.

     

    • mreco_159588's avatar
      mreco_159588
      Icon for Cirrus rankCirrus
      Apr 20, 2017

      The client does present its client certificate when initiating the connection to obtain the full webtop. That's the second TLS excerpt.

       

      When clicking the RDP resource on the full webtop, a new SSL handshake is performed, but now the client certificate is not presented and the SSL handshake fails.

       

      According to F5 support this is a client issue, but I don't see how I can configure the browser to not present a certificate one time and do present a certificate the other time.

       

      Any help here would be appreciated.

       

    • IainThomson85_1's avatar
      IainThomson85_1
      Icon for Cumulonimbus rankCumulonimbus
      Apr 20, 2017

      There's another setting on the F5 that forces a new SSL client session each time... can't remember the setting and I don't have an f5 infront of me to check.

       

    • mreco_159588's avatar
      mreco_159588
      Icon for Cirrus rankCirrus
      Apr 21, 2017

      I guess you mean 'Retain Certificate' under 'Client Authentication' in the Client SSL profile. I have already enabled that, but to no avail.