TLS Client Authentication from Server SSL Profile
Hi all We have a requirement to enable an outbound (internet) flow from some internal servers. Sitting near the edge of the network is an LTM that will proxy the connection from the servers, and is required to then do TLS mutual authentication (client authentication) to the target server on the internet. In this setup the LTM is, from the internal server's point of view, the server, so we configure a Client SSL Profile. All good. Next the LTM is, from the target server's point of view, a client so we configure a Server SSL Profile. Unfortunately this is not working for us. In the Server SSL profile we have set the Certificate and Key, which is the identity cert of the LTM itself signed by a 3rd party CA using a Web Server template with Client Authentication Key Usage. The logs from the target server (Apache 2.4.7) show the following: [ssl:info] [pid 5260:tid 2999946048] [client 10.128.2.109:58181] AH02008: SSL library error 1 in handshake (server server.com:443) [ssl:info] [pid 5260:tid 2999946048] SSL Library Error: error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message My limited understanding on TLS MA is that the client should send a Certificate Verify message that proves it owns the private key. It appears the LTM is not sending this message which could explain why it is failing. I've tested a similar setup in my lab but bypassed the LTM and sure enough a Windows client does indeed send the Certificate Verify message and the transaction is successful. Any ideas on this one? Thank you.
Extract CN Field from SSL Client Certificate
Hi Have inherited an APM configuration from a software developer, and been asked by the customer to apply the same technology on an external facing reverse proxy (currently running TMOS/APM 11.5.4) We use the following APM macro to extract the user name from a client SSL certificate. set f1 [mcget {session.ssl.cert.subject} ] set f2 [split $f1 "=" ] set f3 [lindex $f2 1] set f4 [split $f3 ","] set f5 [lindex $f4 0] It works as long as CN is the first field in the data returned by session.ssl.cert.subject, but unfortunately, the externally signed certificate presented by the web browser has the data in a different order: OU=MULTI-ALLOWED OU=XXXXXXX CN=USERNAME The resulting LDAP search macro tries to look up a user called "MULTI-ALLOWED" and fails. We don't have control over the format of the client certificate which we believe will be issued by the customer. How would I ensure that we extract the CN field regardless of its position in the certificate subject field. Would simply changing the search term in the first split command resolve the issue? set f2 [split $f1 "CN=" ] My knowledge of Tcl, UNIX/Linux string manipulation and regular expressions is very limited. I found a reference to session.ssl.cert.cn in the documentation for 10.1.x but it isn't mentioned for later versions. Is it still supported?
Read SSL certificate from http header?
I am sending 2 SSL certs from my app to the load balancer The standard SSL cert A required client certificate I generated, and put the Authority on the F5 In the SSL profile, I enable "Client Authentication" and everything is happy. However, I have a special case now where I want to send the client certificate to the F5 via a header parameter like: xmlhttp.setRequestHeader('X-Client-Certificate', Certificate_In_Base64); Does anyone know if it's possible for the F5 to accept SSL certificates (specifically the client cert) in a non-standard way like iRule that lets me read it from the http header? Thanks!
Dynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. Abdessamad
How to use multiple Trusted Certificate Authorities in the Client Authentication option in SSL profile?
Hello All, We have a scenario where the virtual server needs to authenticate the client and for that we need to configure client authentication under SSL client profile. In our case we have two different types of clients with each using a different certificate. How can I use multiple certificates in the Trusted Certificate Authorities option? Can the LTM use a set of certificates to authenticate the client by trial and error? Regards, Fouad Al JaouniDynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. AbdessamadSSL client certificate authentication frequency and SSL Session ID
Hi, I'm trying to write a very simple iRule to insert SSL Session ID value in HTTP request header. I require the client authentication in the Virtual Server sslclient profile and I've noticed that the F5 generate and send the Session ID value in the ServerHello SSL message only if a configure the frequency for the client authentication to a value of "once", if I set it to "always" then the Session ID is always empty. I guess that when I set it to "always" the Session ID value is empty because the F5 doesn't want to reuse the session in any case and prefers a full handshake with the client, but I'm not sure of this. Can anyone explain why the SSL Session ID is empty or has a value depending on the client authentication frequency parameter? Thanks!
Generate logs on two-way client authentication SSL certs expired or close to expiring?
I've been tasked with coming up with a way to monitor client certificate expiration status without the f5 holding the client cert (which obviously would be the easiest way to check cert expiration status). Basically, the clients are external customers that we can't import their private client certs into the f5 to check their expiration status. We currently use an irule to verify the client authentication of their cert, but if it expires we aren't notified (nor is the client) until a while after the cert has expired and someone noticed the connection failures. I've been doing some preliminary research and it appears that through an iRule we can check the expiration date of the cert and possibly send it to a log or syslog for alerts? Ideally, the f5 notification would be two-fold: 1) Log and send an alert when the client cert is less then 30 days to expiration. 2) Log and send an alert when the client cert has expired. Here's the current iRule we're using: when CLIENTSSL_CLIENTCERT { Check if client provided a cert if {[SSL::cert 0] eq ""}{ log "Client Certificate Missing" reject } else { set subject_dn [string tolower [X509::subject [SSL::cert 0]]] set expiration_dn [X509::not_valid_after [SSL::cert 0]] log "Client Certificate Received: $subject_dn --- $expiration_dn" if { ([class match $subject_dn contains progressive_cn_list]) } { Accept the client cert log "Client Certificate Accepted: $subject_dn [SSL::cert count]" } else { log "Client Certificate Mismatch: $subject_dn [SSL::cert count]" reject } } } And I found the following F5 KB on X509 commands, I'm presuming we could use a combination of X509::not_valid_after for expiration, and maybe another conditional check with some sort of X509::not_valid_after < 30 "from_present_date" code to alert when the cert is less then 30 days. Do you guys have any suggestions? Thanks! CH
Client authentication prompts (SSL profiles)
Hello all, I was wondering if someone facing below issue when client authentication is implemented with SSL profiles. Every thing works fine after below prompts. User certificate prompt appears 4 times in chrome, 2 times in IE and once in Firefox. I am wondering if this has something to do with the browser behaviour ? Regards, Akhtar