Client certificate support with SSL Visibility

book

Article ID: 168730

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

You are having issues passing client certificates across the SSL Visibility appliance and need to understand what is required.

Log records may contain line(s) similar to the following:
localhost ssldata[3221]: # Rejecting flow with client certificate: <srcIP> --><dstIP>:443 [some string]. Adding a cut-through rule is necessary to avoid future rejected flows.

There is a limited scenario when SSL Visibility is able to decrypt SSL session(s) with a client-side certificate, which is described below.

Cause

The reason for this limitation is that the CertificateVerify SSL handshake message ( containing the hash of all the previous handshake messages exchanged between the client and the server so far) sent after the Certificate message from the client is digitally signed by a private key of the client.
The implication is that the CertificateVerify message cannot be modified, which in turn implies that no part of the SSL handshake can be modified.

Resolution

SSL Visibility provides two options to successfully handle client-side certificate SSL sessions:
  1.  Action in the inspection policy is Decrypt: server key is known and RSA is used as the key exchange algorithm. Such sessions will be decrypted as usual. Other sessions will be rejected unless they use an unsupported cipher suite (where the default policy action is CUT).
  2. To prevent SSL session rejection by the inspection policy, create a CUT rule based on a combination of common name, destination IP/mask, and destination TCP port.