11-21-2016 05:25 PM
Hi, I am having issues setting up a Virtual Server to authenticate client connections via client certificates
I have followed the v10.4 guide and have enabled SSL Decryption and tested with the SSL Client Authentication section configured to "Request, but do not require a client certificate", as well as tested configured to "Require a client certificate". I have imported the trusted Certificate Authority Chains, an internal CA chain as well as an external CA chain.
I have also added a Transcript rule to confirm that the connection is in fact SSL and to write to the log the client certificate presented.
$host = http.getHostHeader();
$path = http.getPath();
$port = request.getLocalPort();
$rIP = request.getRemoteIP();
$isSSL = ssl.isSSL();
log.warn($rIP.": Client Connection is SSL if 1: ".$isSSL);
$cert = ssl.clientCert();
log.warn($rIP.": Certificate: ".$cert)
Which is returning the below log entries
WARN rules/Test - Client Certificate rulelogmsgwarn vservers/Test Client Certificate [$rIP]: Client Connection is SSL if 1: 1
WARN rules/Test - Client Certificate rulelogmsgwarn vservers/Test Client Certificate [$rIP]: Certificate:
Any assitance would be appreciated.
12-01-2016 07:45 AM
Hello - did you already raise a support case for this? That might help here.
You might also run a test using ssl.requireCert() which will generate a handshake failure if the client fails to present a client certificate. The sslfail logs can be enabled on the virtual server to get more information about TLS failures (including the one generated by the ssl.requireCert() trafficscript function).
Also check that you have cleared any cached state from the web browsers - you may need a complete restart to clear all client certificate information.