Forum Discussion

Peter_Lowdon's avatar
Peter_Lowdon
Icon for Altocumulus rankAltocumulus
Sep 23, 2018

When was SSL mutual authentication introduced to Big-IP?

Hey f5'ers,

 

I have a question around SSL Mutual Authentication. Does anyone know when was mutual authentication introduced to LTM and which version of Big-IP in was introduced with please? We are experiencing some difficulty in establishing a mutually authenticated TLS1.2 session between another organisation's f5 LTM and our NGINX server. We can see their f5 LTM sending a client certificate/signer/root bundle when prompted but our NGINX server is then closing the connection with an ASN1 parsing issue. They are claiming that they have discovered that their version of Big-IP is unable to perform mutual authentication with TLS1.2, but given that we see their client certificate arriving at our NGINX server and WE are closing the connection, that doesn't make sense.

 

I just wanted to clarify when exactly MA was introduced to Big-IP as I've been using it for 6 years now and I imagine it must have been there for ages?

 

Thanks in advance, Peter

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    IIRC client certs (Server SSL profile equivalent) were a possibility in v4... I can't remember if client certs in server ssl profiles were a possibility in v3, but would be surprised it they weren't.

     

  • The BIG-IP has been able to support mutual auth from the beginning. But of course TLSv1.2 didn't come until later. Mutual auth and TLSv1.2 are different things though, and MA is generally irrespective of the TLS version (except for maybe digital signature SHA version support).

    The best place to start is with an ssldump capture:

    ssldump -AdNn -i [client side VLAN] port 443
    

    This will tell you exactly when the connection is breaking. And if it is breaking immediately after the client's cert message, it typically implies that the server doesn't like the cert, not that TLS has anything to do with it (because the TLS parameters were chosen in the ServerHello message).