2 way SSL authentication enabled but not working

chiki_sun · 03-22-2016 03:33 PM

I created a virtual host with the following properties

{
  "hostAliases" : [ "somealias1.com", "somealias2.com" ],
  "interfaces" : [ ],
  "name" : "defaultSSL",
  "port" : "9443",
  "sSLInfo" : {
  "ciphers" : [ ],
  "clientAuthEnabled" : true,
  "enabled" : true,
  "ignoreValidationErrors" : true,
  "keyAlias" : "apidev",
  "keyStore" : "SomeKeyStore",
  "protocols" : [ ],
  "trustStore" : "SomeTruststore"
  }
}

in SomeTruststore,

{
  "certs" : [ "apidpdev" ],
  "keys" : [ ],
  "name" : "SomeTruststore"
}

So when I run

curl -k https://somealias1.com:9443/testping

I am actually getting a response.

I was expecting this would fail because I did not pass any "apidpdev" cert that is defined in SomeTruststore.

Am I missing something?

gaurav_bhandari

@leo sun

Please execute the following :-

1) openssl s_client -showcerts -connect somealias:9443

This will give you the details of certs installed on 9443 port (Both the cert details , i.e. keystore as well as trusstore)

This will ensure that the certs are added correctly and the configuration is fine.

If possible run the command on Router and instead of somealias, you can use localhost

2) Where are you running the CURL COMMAND

curl -k https://somealias1.com:9443/testping

Pleaes remove -k and test.

Please let me know in case of any issues

chiki_sun

here is the openssl output. I removed/masked some of the detail for privacy reason.

--- Server certificate subject=**** issuer=**** --- Acceptable client certificate CA names

****1

****2

****3

--- SSL handshake has read 3156 bytes and written 547 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-DES-CBC3-SHA Session-ID: 56F2C143C184B9032A347DE884DDA11DE6E2F82D9A4A1E2755935ED567B1C838 Session-ID-ctx: Master-Key: **** Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1458749763 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---

Since this is a cert is a self signed hence curl without -k will not work. the other system (non apigee) I have also uses 2 way auth and when I ran curl without presenting a proper client cert, I am getting "

curl: (7) Failed connect to"

gaurav_bhandari

@leo sun

So Proper certs details are displayed when you executed the openssl commands.

I am also assuming that the output of ssl command has the line "Acceptable CA CERTS" (Something similar to this line)

The certs after this line are the certs added in the truststore.

Now, please test the below configuration

The VHOST that you have created must be part of the default.xml and it should not have any other VHOST like default, etc. The default.xml must only have one vhost that's pointing two 2way ssl VHOST.

Please let me know in case of any issues

gaurav_bhandari

The VHOST part that I have written is incorrect. Please ignore it. A proxy can have n number of VHOST and I guess you have also added this vhost in the default.xml file and that's the reason that you are getting response.

Can you go through the syste.log file of router and go through the logs?

Can you also update the value

IgnoreValidationErrors from true to false

"

If true, specifies to ignore SSL certificate errors. This is similar to the "-k" option to cURL.

This option is valid when configuring SSL for Target Servers and Target Endpoints, and when configuring virtual hosts that use 2-way SSL.

"

chiki_sun

Hi,

I appreciated for your comments. I set IgnoreValidationErrors to false and looks like the 2 way ssl works now.

Here is what I am not clear, the following enforce 2 way ssl authentication

but this will actually allow anyone to connect to it?