Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

TLS Client Authentication from Server SSL Profile

Devlin_T_149357
Nimbostratus
Nimbostratus

Hi all

 

We have a requirement to enable an outbound (internet) flow from some internal servers. Sitting near the edge of the network is an LTM that will proxy the connection from the servers, and is required to then do TLS mutual authentication (client authentication) to the target server on the internet. In this setup the LTM is, from the internal server's point of view, the server, so we configure a Client SSL Profile. All good. Next the LTM is, from the target server's point of view, a client so we configure a Server SSL Profile. Unfortunately this is not working for us.

 

In the Server SSL profile we have set the Certificate and Key, which is the identity cert of the LTM itself signed by a 3rd party CA using a Web Server template with Client Authentication Key Usage.

 

The logs from the target server (Apache 2.4.7) show the following:

 

[ssl:info] [pid 5260:tid 2999946048] [client 10.128.2.109:58181] AH02008: SSL library error 1 in handshake (server server.com:443) [ssl:info] [pid 5260:tid 2999946048] SSL Library Error: error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message

My limited understanding on TLS MA is that the client should send a Certificate Verify message that proves it owns the private key. It appears the LTM is not sending this message which could explain why it is failing. I've tested a similar setup in my lab but bypassed the LTM and sure enough a Windows client does indeed send the Certificate Verify message and the transaction is successful.

 

Any ideas on this one?

 

Thank you.

 

6 REPLIES 6

Yann_Desmarest_
Nacreous
Nacreous

Hi,

 

If you configure TLS Client Authentication on your backend server, you must disable SSL processing on the Virtual Server configured on the BIG-IP. TLS Client Authentication is not passed from clientside to serverside as F5 device doesn't have the private key of the user.

 

Alternatively, you can apply a valid certificate/key to the SSL Server profile to do client certificate authentication between the bigip device and the backend server. But it's only one certificate for all users.

 

Hi Yann

 

It is client authentication between the LTM and the target server we wish to do. We are not passing TLS from the real server to the target server via the LTM. There are two distinct TLS flows here:

 

Source internal server -> LTM (client SSL profile applied)

 

LTM -> target server on internet (server SSL profile applied)

 

The issue is the second flow. The LTM is sending the certificate to the target server as the target server is sending the Certificate Request message. However, it appears the LTM is not sending a Certificate Verify message which the target server is complaining about.

 

Thanks.

 

Hi,

 

If you configure TLS Client Authentication on your backend server, you must disable SSL processing on the Virtual Server configured on the BIG-IP. TLS Client Authentication is not passed from clientside to serverside as F5 device doesn't have the private key of the user.

 

Alternatively, you can apply a valid certificate/key to the SSL Server profile to do client certificate authentication between the bigip device and the backend server. But it's only one certificate for all users.

 

Hi Yann

 

It is client authentication between the LTM and the target server we wish to do. We are not passing TLS from the real server to the target server via the LTM. There are two distinct TLS flows here:

 

Source internal server -> LTM (client SSL profile applied)

 

LTM -> target server on internet (server SSL profile applied)

 

The issue is the second flow. The LTM is sending the certificate to the target server as the target server is sending the Certificate Request message. However, it appears the LTM is not sending a Certificate Verify message which the target server is complaining about.

 

Thanks.

 

Devlin_T_149357
Nimbostratus
Nimbostratus

Thought I'd update this thread for others. I managed to get this working in the end, not through any configuration changes or anything. I got a trial license for v12.1 as my lab license only supports up to 11.6.1. Turns out that with literally the same config line-by-line on the v12.1, this now works. That is, the LTM now sends the Certificate Verify message to the server and everyone is happy.

 

The only thing I can think of right now is that this must be a bug.

 

hello devlin ,

 

i have simulated the same scenario but not working , our version is 15.1.0 ASM module only

 

is there any required license ?