cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

client authintication - LTM

THE_BLUE
Cirrus
Cirrus

i'm trying to apply client authentication using certificate where the certificate is required otherwise you can't view the link . the public certificate is installed from client side and the private one configured in WAF . I'm using below irule to achieve that :

 when HTTP_REQUEST {

 

if {[HTTP::uri] starts_with "/mylink/" } {

 

 if {[SSL::cert count] <= 0 } {

 

 HTTP::collect

 SSL::authenticate always

 SSL::authenticate depth 9

SSL::cert mode require

 SSL::renegotiate

 }

 }

 }

 

but I got SSL handshake error as warning in WAF , so is there any error in above rule? or it required another setup in SSL profile ? note that i have different Urls which require different certificate but all of them under /mylink/ , for certificates i have one profile contain all the required certificates.

7 REPLIES 7

xuwen
Cirrus
Cirrus

when your irules work (LTM initiate SSL HelloRequest require client initiate new SSL connection to LTM), client attempt SSL::renegotiate(client bring its clientcert) to LTM, you should HTTP::release clientside HTTP traffic :

 

when CLIENTSSL_HANDSHAKE {

 if { [SSL::cert count] > 0 } {

  HTTP::release

 }

}

when HTTP_REQUEST {

 if {[HTTP::uri] starts_with "/mylink/" } {

  if {[SSL::cert count] == 0} {

   HTTP::collect

   SSL::session invalidate

   SSL::authenticate always

   SSL::authenticate depth 9

   SSL::cert mode require

   SSL::renegotiate enable

   SSL::renegotiate

  }

 }

}

THE_BLUE
Cirrus
Cirrus

Dear xuwen,

thank you very much.

is there any change i have to do on SSL profile?

In clientssl profile, renegotiation should be enabled. Also, in client authentication part under Trusted Certificate Authorities select intermediate/issuer certificate of client certificate.

 

You can also modify the iRule if requirement is to parse client cert subjectDN and allow access to it or add it as header to send it to pool member for authorization.

Renegotiation is enabled and i have test the connection using soapUI but I got an error " javax.net.ssl.SSLException: Connection reset

is there another option to test?

SanjayP
MVP
MVP

Does SOAP UI have required client certificate for testing? Capture tcpdump/ssldump to analyse where it's breaking.

yes, the idea is i have api link which required client authentication. in soap ui i have attached the certificate and request the api but there is no response and i got the above error.

have you confirmed with a tcpdump the server requests the cert and client cert is send as expected?

 

you can also try with another client like curl or such to test.