cancel
Showing results for 
Search instead for 
Did you mean: 

Need help passing the cert to the pool member when using client/server ssl profiles

Mizzouri
Nimbostratus
Nimbostratus

Our application developers are launching Mirth and I've setup a Standard VIP listening on 443, http profile, with client/server ssl profile and an iRule (uri based). The server cert portion is working just fine, but was informed yesterday that they needed the client cert to be passed along to the pool members. After doing some reading, I set both profiles to Proxy SSL. Once I set that, they immediately saw SSL handshake failures. From a SSLDUMP I am seeing the following:

 

 # ssldump -r /var/tmp/proxycap.pcap

New TCP connection #1: 10.144.22.176(53294) <-> 10.144.20.176(443)

1 1 0.0008 (0.0008) C>S SSLv2 compatible client hello

 Version 3.3

 cipher suites

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 

 TLS_RSA_WITH_AES_256_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 

 SSL2_CK_3DES 

 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_RSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 

 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_RSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 

 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_DES 

 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_AES_128_CBC_SHA 

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 

 SSL2_CK_RC4 

 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 

 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 

 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_RSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 

 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 

 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 

 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_RSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 

 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 

 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 

 TLS_EMPTY_RENEGOTIATION_INFO_SCSV 

 Unknown value 0xa7 

 Unknown value 0xa6 

 TLS_DH_anon_WITH_AES_256_CBC_SHA256 

 Unknown value 0xc019 

 TLS_DH_anon_WITH_AES_256_CBC_SHA 

 TLS_DH_anon_WITH_AES_128_CBC_SHA256 

 Unknown value 0xc018 

 TLS_DH_anon_WITH_AES_128_CBC_SHA 

 TLS_RSA_WITH_DES_CBC_SHA 

 SSL2_CK_DES 

 TLS_DHE_RSA_WITH_DES_CBC_SHA 

 TLS_DHE_DSS_WITH_DES_CBC_SHA 

 TLS_DH_anon_WITH_DES_CBC_SHA 

 TLS_RSA_WITH_NULL_SHA256 

 Unknown value 0xc006 

 SSL2_CK_RC2_EXPORT40 

 Unknown value 0xc010 

 TLS_RSA_WITH_NULL_SHA 

 Unknown value 0xc001 

 Unknown value 0xc00b 

 Unknown value 0xc015 

 TLS_RSA_WITH_NULL_MD5 

 Unknown value 0x1e 

 Unknown value 0x22 

1 2 0.0063 (0.0055) S>C Alert

   level          fatal

   value          handshake_failure

1   0.0064 (0.0000) S>C TCP RST

 

The F5 is a 1600 running 12.1.2 code. let me know if I am overlooking something or there is a better way to perform this for the app team. Thanks.

5 REPLIES 5

Simon_Blakely
F5 Employee
F5 Employee

 

 

As it appears that the pool member requires information from the client-side client auth certificate, you really need to use:

K72668381:  Overview of the SSL Client Certificate Constrained Delegation feature

 

which requires upgrading to 13.1.x

 

K14065425:  Configuring Client Certificate Constrained Delegation (C3D)

 

 

Mizzouri
Nimbostratus
Nimbostratus

Silly question, what is the latest version of software the 1600 series will support? Thanks again for your quick response!

K9476:  The F5 hardware/software compatibility matrix

 

1600 - BigIP 12.1.2

 

Get a Virtual Edition License ...

Mizzouri
Nimbostratus
Nimbostratus

Alright, back again. We had a 4200 unit lying around which was recently reclaimed from another location. I've wiped it clean and upgraded the software to BIG-IP 15.1.0 Build 0.0.31 Final. I've duplicated the VIP setup from lat time and appending in the C3D pieces to the client/server ssl profiles. I seem to be stuck at the client cert handshake:

 

New TCP connection #3: 10.93.169.32(57353) <-> 10.144.20.10(443)

3 1 0.0515 (0.0515) C>S Handshake

     ClientHello

       Version 3.1

       cipher suites

         TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

         TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

         TLS_RSA_WITH_AES_256_CBC_SHA

         TLS_RSA_WITH_AES_128_CBC_SHA

         TLS_RSA_WITH_3DES_EDE_CBC_SHA

       compression methods

                 NULL

       extensions

         server_name

         status_request

         supported_groups

         ec_point_formats

         SessionTicket

         extended_master_secret

         Unknown extension (0x18)

         renegotiation_info

3 2 0.0526 (0.0010) S>C Handshake

     ServerHello

       Version 3.1

       session_id[32]=

         cf e2 d9 64 73 36 1d d9 56 ca c2 8c 7b 9e 65 82

         b8 b5 15 06 e3 01 d1 9a 1a 6c 08 82 8b 6e f5 d0

       cipherSuite        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

       compressionMethod                  NULL

       extensions

         renegotiation_info

         ec_point_formats

         extended_master_secret

3 3 0.0526 (0.0000) S>C Handshake

     Certificate

3 4 0.0526 (0.0000) S>C Handshake

     ServerKeyExchange

3 5 0.0526 (0.0000) S>C Handshake

     CertificateRequest

       certificate_types                  rsa_sign

       certificate_types                  dss_sign

       certificate_types                  ecdsa_sign

3 6 0.0526 (0.0000) S>C Handshake

     ServerHelloDone

3 7 0.1059 (0.0533) C>S Handshake

     Certificate

     ClientKeyExchange

     CertificateVerify

3 8 0.1059 (0.0000) C>S ChangeCipherSpec

3 9 0.1059 (0.0000) C>S Handshake

3 10 0.1063 (0.0003) S>C Alert

   level          fatal

   value          handshake_failure

3   0.1063 (0.0000) S>C TCP FIN

3   0.1342 (0.0279) C>S TCP FIN

New TCP connection #4: 10.93.169.32(57354) <-> 10.144.20.10(443)

4   0.0203 (0.0203) C>S TCP FIN

4   0.0203 (0.0000) S>C TCP FIN

(cfg-sync Standalone)(Active)(/Common)(tmos)#

 

You probably need to capture both the client and server-side handshakes at the same time.

You may be getting a server-side authentication failure when the forged certificate is passed to the pool member.