Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need help passing the cert to the pool member when using client/server ssl profiles

Mizzouri
Nimbostratus
Nimbostratus

‎29-Jan-2020 12:14

Our application developers are launching Mirth and I've setup a Standard VIP listening on 443, http profile, with client/server ssl profile and an iRule (uri based). The server cert portion is working just fine, but was informed yesterday that they needed the client cert to be passed along to the pool members. After doing some reading, I set both profiles to Proxy SSL. Once I set that, they immediately saw SSL handshake failures. From a SSLDUMP I am seeing the following:

 

 # ssldump -r /var/tmp/proxycap.pcap

New TCP connection #1: 10.144.22.176(53294) <-> 10.144.20.176(443)

1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello

 Version 3.3

 cipher suites

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 

 TLS_RSA_WITH_AES_256_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 

 SSL2_CK_3DES 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_RSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_RSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_DES 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_AES_128_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_RC4 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_RSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_RSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 

 TLS_EMPTY_RENEGOTIATION_INFO_SCSV 

 Unknown value 0xa7 

 Unknown value 0xa6 

 TLS_DH_anon_WITH_AES_256_CBC_SHA256 

 Unknown value 0xc019 

 TLS_DH_anon_WITH_AES_256_CBC_SHA 

 TLS_DH_anon_WITH_AES_128_CBC_SHA256 

 Unknown value 0xc018 

 TLS_DH_anon_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_DES_CBC_SHA 

 SSL2_CK_DES 

 TLS_DHE_RSA_WITH_DES_CBC_SHA 

 TLS_DHE_DSS_WITH_DES_CBC_SHA 

 TLS_DH_anon_WITH_DES_CBC_SHA 

 TLS_RSA_WITH_NULL_SHA256 

 Unknown value 0xc006 

 SSL2_CK_RC2_EXPORT40 

 Unknown value 0xc010 

 TLS_RSA_WITH_NULL_SHA 

 Unknown value 0xc001 

 Unknown value 0xc00b 

 Unknown value 0xc015 

 TLS_RSA_WITH_NULL_MD5 

 Unknown value 0x1e 

 Unknown value 0x22 

1 2 0.0063 (0.0055) S>C Alert

   level          fatal

   value          handshake_failure

1   0.0064 (0.0000) S>C TCP RST

 

The F5 is a 1600 running 12.1.2 code. let me know if I am overlooking something or there is a better way to perform this for the app team. Thanks.

Labels:
0 Kudos
5 REPLIES 5

Simon_Blakely
F5 Employee
F5 Employee

‎29-Jan-2020 14:08

 

 

As it appears that the pool member requires information from the client-side client auth certificate, you really need to use:

K72668381:  Overview of the SSL Client Certificate Constrained Delegation feature

 

which requires upgrading to 13.1.x

 

K14065425:  Configuring Client Certificate Constrained Delegation (C3D)

 

 

0 Kudos

Mizzouri
Nimbostratus
Nimbostratus

‎29-Jan-2020 14:28

Silly question, what is the latest version of software the 1600 series will support? Thanks again for your quick response!

0 Kudos

Simon_Blakely
F5 Employee
F5 Employee
In response to Mizzouri

‎29-Jan-2020 14:31

K9476:  The F5 hardware/software compatibility matrix

 

1600 - BigIP 12.1.2

 

Get a Virtual Edition License ...

0 Kudos

Mizzouri
Nimbostratus
Nimbostratus

‎05-Feb-2020 07:46

Alright, back again. We had a 4200 unit lying around which was recently reclaimed from another location. I've wiped it clean and upgraded the software to BIG-IP 15.1.0 Build 0.0.31 Final. I've duplicated the VIP setup from lat time and appending in the C3D pieces to the client/server ssl profiles. I seem to be stuck at the client cert handshake:

 

New TCP connection #3: 10.93.169.32(57353) <-> 10.144.20.10(443)

3 1 0.0515 (0.0515) C>S Handshake

     ClientHello

       Version 3.1

       cipher suites

         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

         TLS_RSA_WITH_AES_256_CBC_SHA

         TLS_RSA_WITH_AES_128_CBC_SHA

         TLS_RSA_WITH_3DES_EDE_CBC_SHA

       compression methods

                 NULL

       extensions

         server_name

         status_request

         supported_groups

         ec_point_formats

         SessionTicket

         extended_master_secret

         Unknown extension (0x18)

         renegotiation_info

3 2 0.0526 (0.0010) S>C Handshake

     ServerHello

       Version 3.1

       session_id[32]=

         cf e2 d9 64 73 36 1d d9 56 ca c2 8c 7b 9e 65 82

         b8 b5 15 06 e3 01 d1 9a 1a 6c 08 82 8b 6e f5 d0

       cipherSuite        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

       compressionMethod                  NULL

       extensions

         renegotiation_info

         ec_point_formats

         extended_master_secret

3 3 0.0526 (0.0000) S>C Handshake

     Certificate

3 4 0.0526 (0.0000) S>C Handshake

     ServerKeyExchange

3 5 0.0526 (0.0000) S>C Handshake

     CertificateRequest

       certificate_types                  rsa_sign

       certificate_types                  dss_sign

       certificate_types                  ecdsa_sign

3 6 0.0526 (0.0000) S>C Handshake

     ServerHelloDone

3 7 0.1059 (0.0533) C>S Handshake

     Certificate

     ClientKeyExchange

     CertificateVerify

3 8 0.1059 (0.0000) C>S ChangeCipherSpec

3 9 0.1059 (0.0000) C>S Handshake

3 10 0.1063 (0.0003) S>C Alert

   level          fatal

   value          handshake_failure

3   0.1063 (0.0000) S>C TCP FIN

3   0.1342 (0.0279) C>S TCP FIN

New TCP connection #4: 10.93.169.32(57354) <-> 10.144.20.10(443)

4   0.0203 (0.0203) C>S TCP FIN

4   0.0203 (0.0000) S>C TCP FIN

(cfg-sync Standalone)(Active)(/Common)(tmos)#

 

0 Kudos

Simon_Blakely
F5 Employee
F5 Employee
In response to Mizzouri

‎05-Feb-2020 18:26

You probably need to capture both the client and server-side handshakes at the same time.

You may be getting a server-side authentication failure when the forged certificate is passed to the pool member.

0 Kudos
Copyright © 2022 Khoros, LLC