You are having issues passing client certificates across the SSL Visibility appliance and need to understand what is required.
Log records may contain line(s) similar to the following:
localhost ssldata: # Rejecting flow with client certificate: <srcIP> --><dstIP>:443 [some string]. Adding a cut-through rule is necessary to avoid future rejected flows.
There is a limited scenario when SSL Visibility is able to decrypt SSL session(s) with a client-side certificate, which is described below.
The reason for this limitation is that the
CertificateVerify SSL handshake message ( containing the hash of all the previous handshake messages exchanged between the client and the server so far) sent after the
Certificate message from the client is digitally signed by a private key of the client.
The implication is that the
CertificateVerify message cannot be modified, which in turn implies that no part of the SSL handshake can be modified.
SSL Visibility provides two options to successfully handle client-side certificate SSL sessions:
Action in the inspection policy is Decrypt: server key is known and RSA is used as the key exchange algorithm. Such sessions will be decrypted as usual. Other sessions will be rejected unless they use an unsupported cipher suite (where the default policy action is CUT).
To prevent SSL session rejection by the inspection policy, create a CUT rule based on a combination of common name, destination IP/mask, and destination TCP port.
Imported Document ID: 000026593
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.