Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

2 Way SSL not working as client certificate length is 0

Sodamax
Altostratus
Altostratus

‎02-Apr-2023 20:48

I have already config about Client certificate is request, But not working. Can anyone please help me or guide me.
4DB40823-6854-46D0-B4F1-9AAB039A95B8.jpeg

E5CC804C-B41C-4495-8ABB-21B5CA402134.jpeg

Labels:
0 Kudos
8 REPLIES 8

mihaic
MVP
MVP

‎02-Apr-2023 23:13

from the above pictures, it seems that the client does not present a client certificate.

https://my.f5.com/manage/s/article/K12140946

 

0 Kudos

Sodamax
Altostratus
Altostratus
In response to mihaic

‎02-Apr-2023 23:51 - edited ‎02-Apr-2023 23:52

I try to test with physical ip(not f5) it work!!

When i change physical ip to vip(f5) it not work.

0 Kudos

mihaic
MVP
MVP

‎02-Apr-2023 23:54

when you say "vip(f5)" do you mean the DNS name of the VIP? Can you ping that name? Is it the same as your "physical IP"?

0 Kudos

Sodamax
Altostratus
Altostratus
In response to mihaic

‎03-Apr-2023 00:54

No not same.

vip(f5) it mean ip load balancer

physical ip it mean DNS name

Thanks

0 Kudos

mihaic
MVP
MVP

‎03-Apr-2023 01:52

You have to explain your setup, as it is not clear.

If you test different things, you get different results.

VIP usually is a virtual server with an IP address.  A DNS name usually points to this IP address.

 

 

0 Kudos

CA_Valli
MVP
MVP

‎03-Apr-2023 03:29

So, if I interpreted this correctly.

Your current scenario has a certain service that requires SSL client authentication and is working as intended.

You need F5 to proxy this traffic. Will it still forward traffic to "original" destination, or will it be a new service with a different fqdn? Also, do you plan on using F5 to offload the SSL from your original service, or do you still need encrypted comunication between f5 <> real server? 

In your tests via F5, are you testing traffic "directly" with F5 IP or have you configured a "hosts file"/dns entry to point to F5?

This will help us understand better which profiles are required and what options you should enable 🙂 

Regards

CA

0 Kudos

Sodamax
Altostratus
Altostratus
In response to CA_Valli

‎04-Apr-2023 09:58 - edited ‎04-Apr-2023 10:31

Yes, I still need encrypted comunication between f5 <> real server and I testing traffic "directly" with F5 IP.

How to config on F5 for send client certificate to destination server?

This my config 

AFB61536-7A91-4284-8967-121EB6608FB1.jpeg

Thanks

0 Kudos

CA_Valli
MVP
MVP
In response to Sodamax

‎05-Apr-2023 05:12

There's the option to do it with a HTTP header: https://my.f5.com/manage/s/article/K95338243
Or you can enable ProxySSL on both your client- and server- SSL profiles: https://my.f5.com/manage/s/article/K13385

CA_Valli_0-1680696684274.png

 

0 Kudos
Copyright © 2023 Khoros, LLC