Mutual SSL not working as intended?

Question

I have a vip I'm working on. It had 1-way SSL offloading enabled on the it, and I enabled 2-way SSL by creating a Client CA file with 2 domains tuv.com and xyz.com along with their respective CA certs and enabling the file on the client-ssl profile, along with the settings authenticate always, and peer-cert-mode required.

Now the customer is coming back to me saying its not exactly working as intended. If he does a curl to the vip, and he supplies cert abc.com, cacert bundle and key, he's getting through.

something like this

curl --cert abc_com.crt:<password> --key abc_com.key --cacert abc_com-INT.crt https://myvip.com

Now my understanding is that with mutual SSL, only clients with the certs of tuv.com and xyz.com should be allowed to access the vip. I asked the customer to use openssl -s_client to connect to the vip with the credentials for abc.com, but I'm having a hard time trying to tell whether it was or wasn't from the output.

Does anyone know of anything that can explain this behavior?

atoth · Answer

I've tried changing the client ca-file to only have the base certs for tuv.com and xyz.com and not their respective CA certs. This prevents curl access even if you're using the certs for tuv.com and xyz.com.

I'm having a really hard time find documentation for the expected behavior for 2-way SSL. If anyone knows a good source I'd appreciate it.

Besides that, I'd like to know the official purposes of the ca-file and the client ca-file fields in the clientssl profile.

For 2-way, my understanding is that they're act as a whitelist for what client certs can and cannot access the vip. But this seems to not be the case as my post above seems to show. This is either a massive bug, or the intended behavior, and I'm somehow leaning on the latter.

If this is not a way to only allow certain sites to access your vip, what would be the best way to do so?

eric_chen · Answer

The following has a good summary: https://support.f5.com/csp/article/K14783#4

If you want to only allow specific client certificates this is easy to do with Access Policy Manager to query for specific attributes (I.e. CN=123).

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_clientcert_auth.html

otherwise it is possible to do with an iRule. The following non-F5 site has an iRule that appears to do something similar to what you are trying to achieve.

https://developers.docusign.com/esign-rest-api/guides/mutual-tls-f5

Forum Discussion

Mutual SSL not working as intended?

2 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

What is Mutual TLS (mTLS)?

Verifying Slack Requests with Mutual TLS

Selective mutual authentication by HTTP::Host

F5 iRUule not working

Working with MasterKeys