Layer7 API Management

  • 1.  SSL, unwanted client certificate request

    Posted Sep 08, 2017 10:53 AM
      |   view attached

    Hi all,

    I need help to understand why the first SSL request to an API published on a 9.1 Gateway (the api hasn't the require SSL assertion or require client certificate assertion) the browser (need to clear all history and cookie) asks for a client certificate (see attached image).

    It depends on Gateway's configuration? Is it possible to change this behaviour ?

     

    Thanks,

    Daniele



  • 2.  Re: SSL, unwanted client certificate request

    Broadcom Employee
    Posted Sep 08, 2017 12:43 PM

    Hello daniele.elia,

     

    Are your browser using a proxy for its request ?

    It seems the client certificate request is not coming from the gateway.

    Did you try a direct curl or wget using this same client machine to validate this assumption ?

     

    REgards



  • 3.  Re: SSL, unwanted client certificate request

    Posted Sep 08, 2017 01:03 PM

    Hi Nicolas,

    curl works without any problem.. only with Chrome I have this kind of behavior; it was an user with chrome on Android who had told me about this and I verified it with chrome on my Mac... I have this behavior even calling the gateway node on 8443 .. I tried also on a fresh VM gateway with the self signed cert.. same problem.

    I don't understand what's happening

     

    Daniele



  • 4.  Re: SSL, unwanted client certificate request
    Best Answer

    Posted Sep 08, 2017 04:50 PM

    Doesn't 8443 on Gateway default to client cert "optional" on the entire listener, thus browser prompts to give you the option to use it. So even if the front-end LB on 443 sends the request on the back-end to a listener with optional client-cert you can get that popup. Did you try 9443 which should, if I recall correctly, default to client cert "none".



  • 5.  Re: SSL, unwanted client certificate request

    Posted Sep 09, 2017 02:31 AM

    Do you think I can change this default for 8443 from "Listen port properties" without any problems? 



  • 6.  Re: SSL, unwanted client certificate request

    Broadcom Employee
    Posted Sep 11, 2017 05:12 AM

    For your test, just try to request your same https endpoint, but with 9443 port (if you are using the default conf. you should be able to do it). If client certificate prompt is still showing, it is definitely not a gateway side configuration ..

     

    Did you check your proxy configuration ?



  • 7.  Re: SSL, unwanted client certificate request

    Posted Sep 12, 2017 02:27 AM

    Hi Nicolas, yes on 9443 it works without asking the client certificate; I checked in the transport properties and there's the option to change the ssl client request behaviour.

     

    Thanks



  • 8.  Re: SSL, unwanted client certificate request

    Broadcom Employee
    Posted Sep 12, 2017 11:49 AM

    Another thing to look at here is what TLS Versions are enabled on the listen port.

    I know with TLS 1.2 and possibly even 1.1 there are just more stringent security measures in place.

    If the TLS version being used in the communication is 1.2 for instance then the client side will

    need to present a certificate over to the server (gateway in this case) during the ssl handshake.

    If you were to run a tcpdump or sniffer during the request you will see the client side initiate a 'Client Hello'

    request to the gateway ... The gateway will respond with a 'Server Hello and certificate request' back to the client

    at which point the client side needs to present a certificate to the gateway.  The gateway will then accept

    a certificate which is contained within it's Manage Certificates store which is marked with the 'signing client certificates' option enabled.

     

    So from policy manager->Tasks->Transports->Manage Listen Ports->Select port 8443 or 9443 -> properties->SSL/TLS Settings and check 'Enabled TLS Versions' .... See if TLS 1.1 or 1.2 is enabled.  If you disable 1.1 and 1.2 and then restart the gateway and test things again are you still getting prompted to provide a certificate to the gateway?

     

    Again though, using only TLS 1.0 on a listen port is less secure than using 1.1 or 1.2

     

    Hope that helps.

     

    Daren