Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

C3D first request problem

Go to solution
Manuel_
Altocumulus
Altocumulus

‎19-Oct-2022 03:11 - edited ‎19-Oct-2022 03:28

Hi all,

We have an application that has a login button and when you press it you can login with a certificate. This is working perfectly fine.

We have put in front of the app a virtual server with ssl profiles configured with C3D (Client Certificate Constrained Delegation) and add the C3D’s CA into the trusted store of the app’s server.

When we try to login through the virtual server we can and the app work as expected, the generated certificate reaches the app, the user is logged in and we see posible threahts on ASM.

However the login process is not exactly as if we do it directly with the app.

The first time a user tries to log in the browser ask for the certificate, the user selects it and then an error shows up in the browser but quickly dissapears beacause the browser automatically refreshes itself.

If the same user closes the browser and then open it and try to log in this time there is no error shown as the process goes normally like when the users log in directly in the app without the virtual server in the middle.

Client SSL profile:

Manuel__0-1666173984222.png

Server SSL profile:

Manuel__1-1666173995423.png

We also have an iRule like this on the virtual server to only ask for the certificate on the login page, not anywhere else:

when CLIENTSSL_CLIENTCERT {
    HTTP::release
}

when HTTP_REQUEST {
    # Some tests to determine if IS_LOGIN_PAGE
    if { IS_LOGIN_PAGE }{
        HTTP::collect
        SSL::session invalidate
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode request
        SSL::renegotiate
    }
}

Any thoughs on what could be the cause?

Any help is appreciated!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Manuel_
Altocumulus
Altocumulus

‎20-Oct-2022 00:32

With the iRule like this the error does not occur:

when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] != 0 } {
    HTTP::release
  }
}

when HTTP_REQUEST {
    # Some tests to determine if IS_LOGIN_PAGE
    if { IS_LOGIN_PAGE }{
        HTTP::collect
        SSL::session invalidate
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode request
        SSL::renegotiate
    }
}

The only problem I've seen happens if the user cancels the select certificate dialog in the browser but that doesn't worry us a lot.

View solution in original post

10 REPLIES 10

Go to solution
mihaic
MVP
MVP

‎19-Oct-2022 07:54

try to remove : 

  SSL::session invalidate
0 Kudos

Go to solution
Manuel_
Altocumulus
Altocumulus
In response to mihaic

‎19-Oct-2022 23:10

Thanks for the reply but unfortunatly same thing happens.

0 Kudos

Go to solution
mihaic
MVP
MVP

‎19-Oct-2022 23:37

probably you need to do more troubleshooting and see what that error says.

Here is a link that might help you:

https://support.f5.com/csp/article/K15475

0 Kudos

Go to solution
Manuel_
Altocumulus
Altocumulus
In response to mihaic

‎19-Oct-2022 23:44

Thanks for the link.

I have tried tcpdump between the browser and F5 simultaneosly with another tcpdump between the F5 and the final server and what happens is the first time F5 sends a TCP Certificate Request to the browser and the user selects the certificate to log in no certificate arrives to F5 but then the browser refreshes itself, and without the user doing nothing, the certificate that he had selected before arrives to F5 and then is logged in the app correctly.

0 Kudos

Go to solution
mihaic
MVP
MVP

‎19-Oct-2022 23:51

have you tried with other browsers? are all acting the same?

I don't know what browser you use. But try with others.

0 Kudos

Go to solution
Manuel_
Altocumulus
Altocumulus
In response to mihaic

‎19-Oct-2022 23:53

Yes, all browsers act the same. I have tried with edge, chrome and firefox.

0 Kudos

Go to solution
mihaic
MVP
MVP

‎20-Oct-2022 00:08

Have you tried : 

 SSL::cert mode required

  

0 Kudos

Go to solution
Manuel_
Altocumulus
Altocumulus
In response to mihaic

‎20-Oct-2022 00:11

Yep and the same thing happens.

I think I have the solution, gotta do some testing and if it all works I'll post it here.

Thanks a lot for your help.

0 Kudos

Go to solution
Manuel_
Altocumulus
Altocumulus

‎20-Oct-2022 00:32

With the iRule like this the error does not occur:

when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] != 0 } {
    HTTP::release
  }
}

when HTTP_REQUEST {
    # Some tests to determine if IS_LOGIN_PAGE
    if { IS_LOGIN_PAGE }{
        HTTP::collect
        SSL::session invalidate
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode request
        SSL::renegotiate
    }
}

The only problem I've seen happens if the user cancels the select certificate dialog in the browser but that doesn't worry us a lot.

Go to solution
mihaic
MVP
MVP

‎20-Oct-2022 00:40

thanks!

Good to know.

0 Kudos
Copyright © 2023 Khoros, LLC