Jump to content

End-to-end SSL: Pass original client certificate to server ?


Timo Miiluvaara

Recommended Posts

Hi

 

I know the NetScaler can do SSL Offload with client authentication, and if needed send certificate data to the server within plain text http requests.

 

But what if End-to-end encryption is required, with client authentication on both the NetScaler and destination server?

 

Can the NetScaler pass the original client certificate onto the backend SSL session? Or will the backend SSL sessions need to use a certificate installed on the NetScaler?

 

Note that SSL Bridging is not an option in my case.

Link to comment
Share on other sites

I know the NetScaler can establish a SSL session to the backend service. And indeed probably doesn't verify the server certificate presented by the service, as you said.

 

But I am interested in the SSL client authentication procedure. I assume the NetScaler presents its own certificate when performing client authentication towards a service, but I am wondering if there is any way the NetScaler could pass the original client certificate of the real client onto the backend encrypted connection.

Link to comment
Share on other sites

This is from a PowerPoint slide on setting up client cert authentication when SSL offloading XenMobile. Should be same principle for any traffic that uses client certs, and should not matter if backend service is HTTP or SSL.

 

On LB vServer 1, enable Client Certificate Authentication
Mark this certificate check as Optional

Install and bind the CA certificate(s) on NetScaler (required for validation of Client Certificates)
Create an SSL Policy
Rule Expression - CLIENT.SSL.CLIENT_CERT.EXISTS
Create an SSL Action
Client Certificate – ENABLED
Certificate Tag – NSClientCert
Bind SSL Action to SSL Policy
Bind SSL Policy to vServer 1

 

 

 

Link to comment
Share on other sites

Thanks, but it seems the above example uses typical SSL Offloading with a plain text backend connection: the original Client certificate is inserted into the HTTP header of the request being sent to the web server. The certificate is not passed onto a new encrypted backend SSL session.

 

I'm starting to feel that my case is not possible to implement on the NetScaler :)

Link to comment
Share on other sites

And I based my above conclusion on this:

 

http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-config-ssl-actions-tsk.html#parameters_ssl_actions

 

clientCert (Client Certificate) Insert the entire client certificate into the HTTP header of the request being sent to the web server. The certificate is inserted in the ASCII (PEM) format. Possible values: ENABLED, DISABLED.

 

So in that XenMobile example we are clearly talking about an unencrypted backend connection.

 

Link to comment
Share on other sites

Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https,  as it is now just data in the request.

 

I will share with you that in the past we have found that attempting to do any type of SSL offload on the NetScaler when the backend servers required client certificate authentication (in our case, with US Common Access Card or CAC) was never successful,  as the authentication services on the servers sensed that this was a man-in-the-middle attack and would simply fail authentication.

 

I don't think you can accomplish what you are after.  The only way we could successfully use client certificate authentication was to use SSL_Bridge as Carl suggested. 

Link to comment
Share on other sites

Technically, If the certificate was inserted as an HTTP Header, it would be passed to the backend server whether the connection to the backend server was http or https,  as it is now just data in the request. And thanks for the remark about mitm implications.

 

 

 

Yeah. I also concluded that forwarding the original cert inside an encrypted http request would be the solution closest to what my original idea was aiming at. 

 

Currently I am indeed using SSL_Brdige in this setup, but in the future I will need to decrypt the traffic on the NetScaler thus leaving out the option for ssl bridging.

Link to comment
Share on other sites

  • 5 years later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...