Home page logo

basics logo Security Basics mailing list archives

SSL accelerators and client certificate authentication
From: "itpaus" <itpaus () gmail com>
Date: Mon, 6 Mar 2006 11:50:13 +1100

My client has a web farm (IIS) hosting various web sites that serve a
mixture of vanilla http & https traffic, with some of those sites requiring
SSL client certificate-based authentication for access to sensitive areas.
The web servers are fronted by a transparent software load-balancer using a
round-robin algorithm.   
AFAIK in the current architecture a clients' certificate is passed through
to the web server during the initial SSL handshake; the web server then
validates the authenticity of the certificate and then passes the
certificate details through to an SSO ISAPI filter for further processing. 
The client is now looking to replace the software load balancer with an SSL
accelerator device (Cisco 11503) but have hit a snag with client
certificate-based authentication, as the client certificate is not passed
back to the web server via the SSL handshake phase but is instead passed
back to the web server via HTTP headers.  Of course this breaks the SSO
ISAPI mechanism which now no longer has access to the certificate details
(it does not query HHTP headers for them at any rate) via the traditional
SSL handshake and as a result client certificate-based authentication fails.
OK, so now the question ... is there a way to implement an SSL accelerator
such that it doesn't break client certificate-based authentication and
doesn't require any changes to the current web server SSO ISAPI mechanism?
Is it possible for an SSL accelerator to pass on a client certificate to a
back-end web server via a backend SSL connection between accelerator & web
Thanks for your input...

The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 


  By Date           By Thread  

Current thread:
  • SSL accelerators and client certificate authentication itpaus (Mar 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]