Timo Miiluvaara Posted January 12, 2014 Posted January 12, 2014 Hi I know the NetScaler can do SSL Offload with client authentication, and if needed send certificate data to the server within plain text http requests. But what if End-to-end encryption is required, with client authentication on both the NetScaler and destination server? Can the NetScaler pass the original client certificate onto the backend SSL session? Or will the backend SSL sessions need to use a certificate installed on the NetScaler? Note that SSL Bridging is not an option in my case.
matthew ingram Posted January 12, 2014 Posted January 12, 2014 yes, You can secure the communication between the service members and the vserver with ssl. Just setup the web server for ssl and you add the server members specifying port 443 instead of 80. I believe the netscaler doesn't check the member service ssl cert so it can even be self-signed.
Timo Miiluvaara Posted January 13, 2014 Author Posted January 13, 2014 I know the NetScaler can establish a SSL session to the backend service. And indeed probably doesn't verify the server certificate presented by the service, as you said. But I am interested in the SSL client authentication procedure. I assume the NetScaler presents its own certificate when performing client authentication towards a service, but I am wondering if there is any way the NetScaler could pass the original client certificate of the real client onto the backend encrypted connection.
CarlStalhood Posted January 13, 2014 Posted January 13, 2014 You could definitely do it with SSL_BRIDGE services and vServer but the NetScaler won't decrypt the session.
Timo Miiluvaara Posted January 13, 2014 Author Posted January 13, 2014 That's right. I would however need the NetScaler to decrypt and re-encrypt the traffic :/
Jesse Bailey1709152428 Posted January 13, 2014 Posted January 13, 2014 This is from a PowerPoint slide on setting up client cert authentication when SSL offloading XenMobile. Should be same principle for any traffic that uses client certs, and should not matter if backend service is HTTP or SSL. On LB vServer 1, enable Client Certificate AuthenticationMark this certificate check as Optional Install and bind the CA certificate(s) on NetScaler (required for validation of Client Certificates)Create an SSL PolicyRule Expression - CLIENT.SSL.CLIENT_CERT.EXISTSCreate an SSL ActionClient Certificate – ENABLEDCertificate Tag – NSClientCertBind SSL Action to SSL PolicyBind SSL Policy to vServer 1
Timo Miiluvaara Posted January 13, 2014 Author Posted January 13, 2014 Thanks, but it seems the above example uses typical SSL Offloading with a plain text backend connection: the original Client certificate is inserted into the HTTP header of the request being sent to the web server. The certificate is not passed onto a new encrypted backend SSL session. I'm starting to feel that my case is not possible to implement on the NetScaler :)
Timo Miiluvaara Posted January 13, 2014 Author Posted January 13, 2014 And I based my above conclusion on this: http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-config-ssl-actions-tsk.html#parameters_ssl_actions clientCert (Client Certificate) Insert the entire client certificate into the HTTP header of the request being sent to the web server. The certificate is inserted in the ASCII (PEM) format. Possible values: ENABLED, DISABLED. So in that XenMobile example we are clearly talking about an unencrypted backend connection.
Terry Anderson Posted January 13, 2014 Posted January 13, 2014 Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https, as it is now just data in the request. I will share with you that in the past we have found that attempting to do any type of SSL offload on the NetScaler when the backend servers required client certificate authentication (in our case, with US Common Access Card or CAC) was never successful, as the authentication services on the servers sensed that this was a man-in-the-middle attack and would simply fail authentication. I don't think you can accomplish what you are after. The only way we could successfully use client certificate authentication was to use SSL_Bridge as Carl suggested.
Timo Miiluvaara Posted January 15, 2014 Author Posted January 15, 2014 Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https, as it is now just data in the request. And thanks for the remark about mitm implications. Yeah. I also concluded that forwarding the original cert inside an encrypted http request would be the solution closest to what my original idea was aiming at. Currently I am indeed using SSL_Brdige in this setup, but in the future I will need to decrypt the traffic on the NetScaler thus leaving out the option for ssl bridging.
Yuvy Ruhee Posted June 4, 2019 Posted June 4, 2019 Has anyone been able to successfully implement client authentication on a Content-Switch VIP with SSL Offload to the Target LB "SSL end to end" on new versions on Netscaler 11/12?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.