Jump to content

End-to-end SSL: Pass original client certificate to server ?


Timo Miiluvaara

Recommended Posts

Posted

Hi

 

I know the NetScaler can do SSL Offload with client authentication, and if needed send certificate data to the server within plain text http requests.

 

But what if End-to-end encryption is required, with client authentication on both the NetScaler and destination server?

 

Can the NetScaler pass the original client certificate onto the backend SSL session? Or will the backend SSL sessions need to use a certificate installed on the NetScaler?

 

Note that SSL Bridging is not an option in my case.

Posted

yes, You can secure the communication between the service members and the vserver with ssl. Just setup the web server for ssl and you add the server members specifying port 443 instead of 80. I believe the netscaler doesn't check the member service ssl cert so it can even be self-signed.

Posted

I know the NetScaler can establish a SSL session to the backend service. And indeed probably doesn't verify the server certificate presented by the service, as you said.

 

But I am interested in the SSL client authentication procedure. I assume the NetScaler presents its own certificate when performing client authentication towards a service, but I am wondering if there is any way the NetScaler could pass the original client certificate of the real client onto the backend encrypted connection.

Posted

This is from a PowerPoint slide on setting up client cert authentication when SSL offloading XenMobile. Should be same principle for any traffic that uses client certs, and should not matter if backend service is HTTP or SSL.

 

On LB vServer 1, enable Client Certificate Authentication
Mark this certificate check as Optional

Install and bind the CA certificate(s) on NetScaler (required for validation of Client Certificates)
Create an SSL Policy
Rule Expression - CLIENT.SSL.CLIENT_CERT.EXISTS
Create an SSL Action
Client Certificate – ENABLED
Certificate Tag – NSClientCert
Bind SSL Action to SSL Policy
Bind SSL Policy to vServer 1

 

 

 

Posted

Thanks, but it seems the above example uses typical SSL Offloading with a plain text backend connection: the original Client certificate is inserted into the HTTP header of the request being sent to the web server. The certificate is not passed onto a new encrypted backend SSL session.

 

I'm starting to feel that my case is not possible to implement on the NetScaler :)

Posted

And I based my above conclusion on this:

 

http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-config-ssl-actions-tsk.html#parameters_ssl_actions

 

clientCert (Client Certificate) Insert the entire client certificate into the HTTP header of the request being sent to the web server. The certificate is inserted in the ASCII (PEM) format. Possible values: ENABLED, DISABLED.

 

So in that XenMobile example we are clearly talking about an unencrypted backend connection.

 

Posted

Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https,  as it is now just data in the request.

 

I will share with you that in the past we have found that attempting to do any type of SSL offload on the NetScaler when the backend servers required client certificate authentication (in our case, with US Common Access Card or CAC) was never successful,  as the authentication services on the servers sensed that this was a man-in-the-middle attack and would simply fail authentication.

 

I don't think you can accomplish what you are after.  The only way we could successfully use client certificate authentication was to use SSL_Bridge as Carl suggested. 

Posted

Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https,  as it is now just data in the request. And thanks for the remark about mitm implications.

 

 

 

Yeah. I also concluded that forwarding the original cert inside an encrypted http request would be the solution closest to what my original idea was aiming at. 

 

Currently I am indeed using SSL_Brdige in this setup, but in the future I will need to decrypt the traffic on the NetScaler thus leaving out the option for ssl bridging.

  • 5 years later...
Posted

Has anyone been able to successfully implement client authentication on a Content-Switch VIP with SSL Offload to the Target LB "SSL end to end" on new versions on Netscaler 11/12? 

 

 

 

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...