Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

2 Way SSL not working as client certificate length is 0

Sodamax
Altostratus
Altostratus

I have already config about Client certificate is request, But not working. Can anyone please help me or guide me.
4DB40823-6854-46D0-B4F1-9AAB039A95B8.jpeg

E5CC804C-B41C-4495-8ABB-21B5CA402134.jpeg

8 REPLIES 8

mihaic
MVP
MVP

from the above pictures, it seems that the client does not present a client certificate.

https://my.f5.com/manage/s/article/K12140946

 

I try to test with physical ip(not f5) it work!!

When i change physical ip to vip(f5) it not work.

mihaic
MVP
MVP

when you say "vip(f5)" do you mean the DNS name of the VIP? Can you ping that name? Is it the same as your "physical IP"?

No not same.

vip(f5) it mean ip load balancer

physical ip it mean DNS name

Thanks

mihaic
MVP
MVP

You have to explain your setup, as it is not clear.

If you test different things, you get different results.

VIP usually is a virtual server with an IP address.  A DNS name usually points to this IP address.

 

 

CA_Valli
MVP
MVP

So, if I interpreted this correctly.

Your current scenario has a certain service that requires SSL client authentication and is working as intended.

You need F5 to proxy this traffic. Will it still forward traffic to "original" destination, or will it be a new service with a different fqdn? Also, do you plan on using F5 to offload the SSL from your original service, or do you still need encrypted comunication between f5 <> real server? 

In your tests via F5, are you testing traffic "directly" with F5 IP or have you configured a "hosts file"/dns entry to point to F5?

This will help us understand better which profiles are required and what options you should enable 🙂 

Regards

CA

Yes, I still need encrypted comunication between f5 <> real server and I testing traffic "directly" with F5 IP.

How to config on F5 for send client certificate to destination server?

This my config 

AFB61536-7A91-4284-8967-121EB6608FB1.jpeg

Thanks

There's the option to do it with a HTTP header: https://my.f5.com/manage/s/article/K95338243
Or you can enable ProxySSL on both your client- and server- SSL profiles: https://my.f5.com/manage/s/article/K13385

CA_Valli_0-1680696684274.png