Security Basics mailing list archives
SSL accelerators and client certificate authentication
From: "itpaus" <itpaus () gmail com>
Date: Mon, 6 Mar 2006 11:50:13 +1100
List, My client has a web farm (IIS) hosting various web sites that serve a mixture of vanilla http & https traffic, with some of those sites requiring SSL client certificate-based authentication for access to sensitive areas. The web servers are fronted by a transparent software load-balancer using a round-robin algorithm. AFAIK in the current architecture a clients' certificate is passed through to the web server during the initial SSL handshake; the web server then validates the authenticity of the certificate and then passes the certificate details through to an SSO ISAPI filter for further processing. The client is now looking to replace the software load balancer with an SSL accelerator device (Cisco 11503) but have hit a snag with client certificate-based authentication, as the client certificate is not passed back to the web server via the SSL handshake phase but is instead passed back to the web server via HTTP headers. Of course this breaks the SSO ISAPI mechanism which now no longer has access to the certificate details (it does not query HHTP headers for them at any rate) via the traditional SSL handshake and as a result client certificate-based authentication fails. OK, so now the question ... is there a way to implement an SSL accelerator such that it doesn't break client certificate-based authentication and doesn't require any changes to the current web server SSO ISAPI mechanism? Is it possible for an SSL accelerator to pass on a client certificate to a back-end web server via a backend SSL connection between accelerator & web server? Thanks for your input... Jason --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- SSL accelerators and client certificate authentication itpaus (Mar 06)