Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Aug 17, 2017

TLS Client Authentication from Server SSL Profile

Hi all

We have a requirement to enable an outbound (internet) flow from some internal servers. Sitting near the edge of the network is an LTM that will proxy the connection from the servers, and is required to then do TLS mutual authentication (client authentication) to the target server on the internet. In this setup the LTM is, from the internal server's point of view, the server, so we configure a Client SSL Profile. All good. Next the LTM is, from the target server's point of view, a client so we configure a Server SSL Profile. Unfortunately this is not working for us.

In the Server SSL profile we have set the Certificate and Key, which is the identity cert of the LTM itself signed by a 3rd party CA using a Web Server template with Client Authentication Key Usage.

The logs from the target server (Apache 2.4.7) show the following:

[ssl:info] [pid 5260:tid 2999946048] [client 10.128.2.109:58181] AH02008: SSL library error 1 in handshake (server server.com:443)
[ssl:info] [pid 5260:tid 2999946048] SSL Library Error: error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message

My limited understanding on TLS MA is that the client should send a Certificate Verify message that proves it owns the private key. It appears the LTM is not sending this message which could explain why it is failing. I've tested a similar setup in my lab but bypassed the LTM and sure enough a Windows client does indeed send the Certificate Verify message and the transaction is successful.

Any ideas on this one?

Thank you.

application delivery
LTM
serverssl
ssl client authentication
ssltls
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Aug 17, 2017

    Hi,

     

    If you configure TLS Client Authentication on your backend server, you must disable SSL processing on the Virtual Server configured on the BIG-IP. TLS Client Authentication is not passed from clientside to serverside as F5 device doesn't have the private key of the user.

     

    Alternatively, you can apply a valid certificate/key to the SSL Server profile to do client certificate authentication between the bigip device and the backend server. But it's only one certificate for all users.

     

    • Devlin_T_149357's avatar
      Devlin_T_149357
      Aug 17, 2017

      Hi Yann

       

      It is client authentication between the LTM and the target server we wish to do. We are not passing TLS from the real server to the target server via the LTM. There are two distinct TLS flows here:

       

      Source internal server -> LTM (client SSL profile applied)

       

      LTM -> target server on internet (server SSL profile applied)

       

      The issue is the second flow. The LTM is sending the certificate to the target server as the target server is sending the Certificate Request message. However, it appears the LTM is not sending a Certificate Verify message which the target server is complaining about.

       

      Thanks.

       

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Aug 17, 2017

    Hi,

     

    If you configure TLS Client Authentication on your backend server, you must disable SSL processing on the Virtual Server configured on the BIG-IP. TLS Client Authentication is not passed from clientside to serverside as F5 device doesn't have the private key of the user.

     

    Alternatively, you can apply a valid certificate/key to the SSL Server profile to do client certificate authentication between the bigip device and the backend server. But it's only one certificate for all users.

     

    • Devlin_T_149357's avatar
      Devlin_T_149357
      Aug 17, 2017

      Hi Yann

       

      It is client authentication between the LTM and the target server we wish to do. We are not passing TLS from the real server to the target server via the LTM. There are two distinct TLS flows here:

       

      Source internal server -> LTM (client SSL profile applied)

       

      LTM -> target server on internet (server SSL profile applied)

       

      The issue is the second flow. The LTM is sending the certificate to the target server as the target server is sending the Certificate Request message. However, it appears the LTM is not sending a Certificate Verify message which the target server is complaining about.

       

      Thanks.

       

  • Devlin_T_149357's avatar
    Devlin_T_149357
    Sep 08, 2017

    Thought I'd update this thread for others. I managed to get this working in the end, not through any configuration changes or anything. I got a trial license for v12.1 as my lab license only supports up to 11.6.1. Turns out that with literally the same config line-by-line on the v12.1, this now works. That is, the LTM now sends the Certificate Verify message to the server and everyone is happy.

     

    The only thing I can think of right now is that this must be a bug.

     

    • mahmoudabdelhay's avatar
      mahmoudabdelhay
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2020

      hello devlin ,

       

      i have simulated the same scenario but not working , our version is 15.1.0 ASM module only

       

      is there any required license ?