Forum Discussion

eric_haupt1's avatar
eric_haupt1
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

APM On-Demand Cert Auth failure even though cert exists and is valid

I have a multi-path VPE. The first path is for automated systems which are detected based on client ip and take a branch using that logic. I know this path is working because I already have systems using it. I have the clientssl profile set to "ignore" with the trusted and advertised CA set to my agency bundle. Within the VPE I have an On-Demand Cert Auth immediately following. I have a remote host that is successfully matching the client IP branch and hitting the subsequent cert auth - but failing. APM logs clearly show session.ssl.cert.exist=0 and session.ssl.cert.valid=1.

 

Why would this host fail the On-demand auth but yet these variables are set in such a fashion? Any ideas?

 

APM
application delivery

2 Replies

Sort By
  • eric_haupt1's avatar
    eric_haupt1
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2019

    Ok - it looks like those are the variables BEFORE The rehandshake... so is it logical to conclude that the server is not presenting a valid cert after the re-handshake? I don't see any other instances of session.ssl.cert.exist or session.ssl.cert.valid - I simply see rehandshake going from "2" to "0" and the Logon_Deny.

     

    I'm assuming this remote host is not using an agency cert. I'd just like to be clear on variable interpretation before I go back with this answer.

     

  • ackaljn's avatar
    ackaljn
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2019

    I've noticed the session.ssl.cert.valid variable values seem backwards. Pulled from a currently connected session that went through a On-Demand Cert Auth:

     

    session.ssl.cert.exist=1

     

    session.ssl.cert.valid=0

     

    session.ssl.cert.whole contains the entire cert, it should exist if the client presents a cert.

     

    I looked at the default successful branch rule for On-Demand Cert Auth and its "expr { [mcget {session.ssl.cert.valid}] == "0" }"