Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Jul 05, 2010

...most likely a stupid Q by a stupid person

Sorry to be asking such a basic Q but wondering if anyone can shed some light/point me in the direction I need to look regarding setting client authentication using SSL certificates. We have internally an old MS certificate server that I have installed the CA cert on to a LTM v9.3 (upgrading soon finally), and on the client SSL profile I've set the client authentication section to:

 

 

client cert - required

 

Frequency - once

 

Depth - 9

 

Advertised cert - none (tried specifying the internal CA cert which does reflect on the client to the certificates show but no change to end result)

 

and nothing config'd for the CRL

 

 

When I hit the virtual server I get prompted for the client cert in IE but when I select the cert the connection just gets dropped (presume fails the auth). If I change the client cert to required to request I do get to the web page after submitting the cert but presuming after reading the differences that the auth is still failing just its letting me in.

 

 

Can anyone advise

 

1) Bar the settings in the client Auth box in the client SSL profile is there another step I need to do

 

 

2) Is there anyway to turn on any debugging on the client authentication so I can try to figure out why it is failing?

 

 

5 Replies

  • There isn't really any additional debug you can enable. You can capture a tcpdump and decrypt it using ssldump to get more info on what's failing. Try searching the forums here and support.f5.com for ssldump for details on using the command.

     

     

    I think you're correct that the the client cert request is probably still failing with the mode set to request.

     

     

    You should add the CA (and intermediate cert) to a bundle and configure it as the advertised and trusted CA bundle on the client SSL profile. The advertised bundle tells the client what CA issuers will be accepted. The trusted CA bundle is what LTM will use to validate the cert.

     

     

    Aaron
  • Thanks for the response I'll dig in to it.

     

     

    Out of interest do you know of any issues with firefox and SSL cert client auth? In IE it prompts for the cert, in firefox the page eventually timesout with "connection was reset" seeming to loop in the status bar for a few seconds between Looking to example.com then connected to example.com (obvious example.com is the name of the site)

     

     

    thanks again
  • Do you have a cert installed in Firefox that chains correctly to the certs in the trusted and advertised CA bundle? That would be the first thing to set up. If it fails, ssldump is going to be your best bet for troubleshooting. If you get stuck you can open a case with F5 Support and ask them to help you diagnose the issue.

     

     

    Aaron
  • Posting a quick update and thanks as always to hoolio - I should have read your first post better. While I had added the internal CA cert of the CA used to issue the client certs to the CA bundle on the F5, to get the client auth to work I had to switch the trust CA's to the CA bundle (I incorrectly presumed this was the default setting used on the F5 so would not need specifiying but I guess I was wrong). with regards to firefox, while the internal CA cert was installed I didn't have a client cert installed (IE prompts with an empty box...)

     

  • Glad it's working for you. If you think the manual or online help sections could be clarified to make it easier for others, you could add a post with suggestions to the Docs forum or open a case with F5 Support.

     

     

    Documentation Requests and Suggestions

     

    http://devcentral.f5.com/Forums/tabid/53/afv/topicsview/aff/2064/Default.aspx

     

     

    Aaron