C3D first request problem
Hi all, We have an application that has a login button and when you press it you can login with a certificate. This is working perfectly fine. We have put in front of the app a virtual server with ssl profiles configured with C3D (Client Certificate Constrained Delegation) and add the C3D’s CA into the trusted store of the app’s server. When we try to login through the virtual server we can and the app work as expected, the generated certificate reaches the app, the user is logged in and we see posible threahts on ASM. However the login process is not exactly as if we do it directly with the app. The first time a user tries to log in the browser ask for the certificate, the user selects it and then an error shows up in the browser but quickly dissapears beacause the browser automatically refreshes itself. If the same user closes the browser and then open it and try to log in this time there is no error shown as the process goes normally like when the users log in directly in the app without the virtual server in the middle. Client SSL profile: Server SSL profile: We also have an iRule like this on the virtual server to only ask for the certificate on the login page, not anywhere else: when CLIENTSSL_CLIENTCERT { HTTP::release } when HTTP_REQUEST { # Some tests to determine if IS_LOGIN_PAGE if { IS_LOGIN_PAGE }{ HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiate } } Any thoughs on what could be the cause? Any help is appreciated!
Constrained Certificate Delegation from HTTP Headers
I have the following configuration setup and am trying to determine how to enable C3D to create a certificate based of provided HTTP headers. Outside F5 (Terminates SSL and inserts headers from validated certificate) -> Middle F5 (AWAF) -> Inside F5 (Re-encrypt and use C3D to connect to the back-end service) -> Apache HTTPD I have C3D enabled on the Inside F5 with a valid self-signed CA for testing. The inserted headers from the Outside F5 are available on the inside Apache HTTP server. How can I enable C3D on the Inside F5 to produce the new certificate with supplied headers?
Problem with C3D - Client Certificate Constrained Delegation
Hi all, We have been using C3D in a public facing web app several years now having no issues. Clients use their certificates from many different CAs to login into the app and when somebody has a certificate from a different CA we add that CA to a list of trusted and allowed CAs that users can use certificates to log in form. The internal CA that we use to forge client certificates and pass them to the node uses sha256RSA as sign algorithm and sha256 as hash signature algorithm. We had to add a new allowed CA that client will use certificates to connect from but uses sha512ECDSA as sign algorithm and sha512 as hash signature algorithm and when someone uses a client certificate of this CA to try to connect to our application TLS connection breaks with "Alert (Level: Fatal, Description: Handshake Failure)" ¿Has anyone enncountered a similar issue? Thank you.
