Monday, June 12, 2017

Client Auth Issues for Mutual SSL/TLS

Within   TLS we can   authenticate the "client". This is called mutual authentication. The client authenticates the server and the server the client.

In this post we I explain some common issues to look at when mutual authentication does not work

1st,  the certificate used by  the server needs to validate.

2nd, the client  certificate needs to validate. This also means it can be older than the expiration or yet activate

i.e F5 debug log for a non validate user-certificate

3rd, the client certificate store typically only provides the user certificate if  item#1& #2 are true and the site  issues matches the certificate found in the user local store.

4th,  the web clients needs his/her certificate and matching key. This combination is what's used for the site. The web-server will extract the public-key from the x509 certificate when authenticating

5th,   a web-server might ignore a certificate if one is provided

Next, the  web-server  needs the CA to use for  verification. The  CA used for the client might NOT be the same one for the server-signed certificate.



Client certificate either has a UPN { user principal name } or CN { common name }  field and this can be scrutinize a web-server when mutual authentication is required. Either one should be correct for the user and the applications and in  the correct format




If the server uses a CRL, ensure the client-certificate  is not revoked.


If  the site support auth-fallback,  this will come into play after SSL mutual-authentication request.

4> In most cases, the client certificates does NOT need to signed under the same CAroot as the server. Most servers that use mutual TLS/SSL client-auth,  will let you set the CAchain for the client's certificates that are to be trusted & allowed.

by using curl you can validate and gather verbose details


curl -v --cert <pkcs format certificate+key>:passphrase

Review the curl output for further paths to  explore and investigate.

Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment