ProxySG requesting client certificates does not work with Internet Explorer

book

Article ID: 166836

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

Requesting client certificates does not work with Internet Explorer and ProxySG 
 

Resolution

PROBLEM:

A server requests a client certificate by sending the "CertificateRequest" message to the client.  This message contains a list of all the CAs that are trusted by the server.  The size of this message is dictated by how many CA certificates are configured on the server.  When the proxy requests a client certificate from the browser, it will include the list of CAs it trusts in the "CertificateRequest" message.  With SGOS 6.2.x x or later, the default list of CA certificates configured on the proxy is larger than in previous releases.  Because of this larger list, the "CertificateRequest" message generated by the ProxySG in spans multiple SSL records.  Unfortunately, Internet Explorer cannot handle SSL handshake messages that span multiple SSL records.  As a result, client certificates do not work with Internet Explorer in certain cases.  Note that this is an issue specific to Internet Explorer only.  Firefox does not have this problem.

WORKAROUND:

HTTPS Reverse Proxy
HTTPS Reverse Proxy uses client certificates for authentication.  A typical use case is to use an HTTPS Reverse proxy service with the "verify-client" attribute enabled, along with certificate realm authentication.  This deployment will work with SGOS 6.2.x.x and later as long as the HTTPS Reverse Proxy service in question is configured to use a CA Certificate List (CCL) that included only the root CA associated with the backend server resources.  This reduces the number of CAs trusted by a service and thus reduces the size of CertificateRequest message, so that Internet Explorer can handle it. 

You can create a CCL for this purpose by going to ProxySG Management Console>Configuration>SSL>CA Certificates>CA Certificate Lists:
- Click New button
- Give the new CCL a name 
- Select and Add only the CA certificate(s) associated with the reverse proxy deployment
- Click OK
- Click Apply