How to prevent SSL proxy from breaking client certificate authentication with a web server?


<< Back to Knowledge Search

Solution

Overview

It is not uncommon for HTTPS servers to require client certificate authentication. This setup is used when server intends to authenticate incoming requests based on the certificate in the client’s certificate store (e.g., Internet Explorer’s certificate store). The server may have application specific logic which looks at certain fields in the client certificate to infer the user’s identity to authenticate and authorize the user.

The problem statement is: SSL proxy when intercepting traffic resets the underlying TCP connection when server requests client certificate. The new feature is tunnel the traffic thereafter if policy detects this scenario and is set to tunnel, or intercept the traffic and generate an exception page if policy detects this scenario and is set to intercept or intercept on exception

Solution, upgrade to SGOS 5.5.3.1 or later,apply the new policy as the SGOS CMG:

Chapter 3: Condition Reference

page 65

 

client.certificate.requested=

Tests whether or not the server has requested SSL client certificate authentication.

When the SSL proxy establishes a connection with the server and the server requests an SSL client

certificate, this condition is set to yes, else it is set to no. This condition is NULL for transactions that

do not involve an SSL connection to the client.

Syntax

client.certificate.requested = yes|no

Layer and Transaction Notes

Use in <SSL-Intercept> layer.

Applies to: SSL Intercept transactions

Example(s)

This condition is used to avoid intercepting SSL proxy traffic when a server requests a client certificate

to authenticate the client. The reason is that client certificates are not supported in this configuration.

When intercepting such traffic, the ProxySG generates an exception page. The policy below enables

SSL proxy interception only when a client certificate is not requested by the server.

<SSL-Intercept>

; If the server requests a client certificate, tunnel the SSL traffic via SSL proxy

client.certificate.requested=yes ssl.forward_proxy(no)

; Otherwise, intercept SSL traffic using HTTPS forward proxy.

ssl.forward_proxy(https)

; Exclude the bottom rule if you have a rule to bypass SSL interception in VPM.

 

 

 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ893
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 5
Topic      SSL / HTTPS, Usability
Article Number      000011271
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat