{"id":2626,"date":"2016-02-26T16:22:48","date_gmt":"2016-02-26T21:22:48","guid":{"rendered":"https:\/\/infotechguy.net\/?p=2626"},"modified":"2025-02-22T11:26:46","modified_gmt":"2025-02-22T16:26:46","slug":"masking-2-way-mutual-ssl-authentication-using-f5-ltm-or-haproxy","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=2626","title":{"rendered":"F5 BIGIP and HAProxy — Masking 2-Way “Mutual” SSL Authentication"},"content":{"rendered":"

Hello folks,<\/p>\n

So a recent post I published talked about 1-Way vs 2-way SSL Authentication<\/a> in some decent detail. We learned that 2-Way “Mutual” SSL Authentication can be used to enforce both parties attempting to communicate securely to provide authenticity. In other words, prove to each other that they are who they say they are. This can be very powerful from a security standpoint, but is it practical? The answer is, yes and no. The constraint comes from the aspect of administration (actually create certificates for each client) and manageability (keep accounting and maintaining actively lists of trusts) with the trade-off of proper authenticity. For example at first administering and managing 10 client certificates may be okay, but then imaging 100, or even a 1,000! So in this post I wanted to approach the idea of utilizing some tools we can use to offload some of this administration and management while maintaining Mutual Authentication with another entity. The idea revolves around one major assumption, users of a particular service (In this case a web-server) reside on a privately controlled and trusted network<\/p>\n

My idea is if we have a group of clients residing on an internal privately addressed network, we can use either an F5 LTM or HAProxy to proxy our users’s connections destined for a service that is enforcing 2-Way SSL “Mutual” Authentication. The F5 LTM or HAProxy would perform the 2-Way SSL Mutual Authentication on behalf<\/em> of each connecting user, eliminating the technical need to generate certificates for each client, while maintaining an element of mutual trust to the end service.<\/p>\n

The basic idea is: (notice only our F5 LTM\/HAproxy and the web-server perform 2-Way “Mutual” Authentication)<\/strong><\/p>\n

\"\"<\/a><\/p>\n

<\/h4>\n

<\/p>\n

Preliminary Steps:<\/h3>\n

For the following steps please read my 1-Way vs 2-Way SSL Authentication Post.<\/a><\/p>\n

    \n
  1. \n
    Create a the web-server’<\/strong>s CSR and Key<\/h5>\n
    root@ca:\/opt# openssl req -config openssl-rootca.conf -extensions server_req_ext -new -nodes -newkey rsa:2048 -keyout web-server.key -out web-server.csr -days 365\nGenerating a 2048 bit RSA private key\n................................+++\n............................................................................+++\nwriting new private key to 'web-server2.key'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nEnter Country [US]:\nState or Province Name (full name) [Connecticut]:\nLocality Name (eg, city) [Wethersfield]:\nOrganization Name [thejimmahknows]:\nUnit Name [Test Unit]:\nCommon Name (e.g. server FQDN or YOUR name) []:web-server\nContact email for this Certificate [admin@example.com]:\n<\/pre>\n
     <\/li>\n
  2. \n
    Create the F5 & HAproxy Server-Side<\/strong> CSR and Key<\/h5>\n
    root@ca:\/opt# openssl req -config openssl-rootca.conf -extensions client_req_ext -new -nodes -newkey rsa:2048 -keyout ha-client1.key -out ha-client1.csr -days 365\nGenerating a 2048 bit RSA private key\n...................+++\n.....+++\nwriting new private key to 'ha-client1.key'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nEnter Country [US]:\nState or Province Name (full name) [Connecticut]:\nLocality Name (eg, city) [Wethersfield]:\nOrganization Name [thejimmahknows]:\nUnit Name [Test Unit]:\nCommon Name (e.g. server FQDN or YOUR name) []:ha-client1\nContact email for this Certificate [admin@example.com]:\n<\/pre>\n
     <\/li>\n
  3. \n
    Create the F5 & HAproxy Client-Side<\/strong> (connection the client will actual connect to)<\/h5>\n
    root@ca:\/opt# openssl req -config openssl-rootca.conf -extensions server_req_ext -new -nodes -newkey rsa:2048 -keyout virtual-service.key -out virtual-service.csr -days 365\nGenerating a 2048 bit RSA private key\n........................+++\n.............................................................+++\nwriting new private key to 'virtual-service.key'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nEnter Country [US]:\nState or Province Name (full name) [Connecticut]:\nLocality Name (eg, city) [Wethersfield]:\nOrganization Name [thejimmahknows]:\nUnit Name [Test Unit]:\nCommon Name (e.g. server FQDN or YOUR name) []:mytestvip\nContact email for this Certificate [admin@example.com]:\n<\/pre>\n<\/li>\n
  4. \n
    Using our CA from my previous ariticle, sign all three of these certificates<\/h5>\n
    Sign the web-server’s CSR<\/strong><\/p>\n
    root@ca:\/opt# openssl ca -config openssl-rootca.conf -extensions server_req_ext -in web-server2.csr -out web-server2.crt\nUsing configuration from openssl-rootca.conf\nEnter pass phrase for \/opt\/rootCA.key:\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName           :PRINTABLE:'US'\nstateOrProvinceName   :ASN.1 12:'Connecticut'\nlocalityName          :ASN.1 12:'Wethersfield'\norganizationName      :ASN.1 12:'thejimmahknows'\norganizationalUnitName:ASN.1 12:'Test Unit'\ncommonName            :ASN.1 12:'web-server'\nCertificate is to be certified until Feb 25 15:10:27 2017 GMT (365 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nData Base Updated\n<\/pre>\n
    Sign the F5 & HAProxy Server-Side CSR (This is the connection the F5 makes to our backend pool members)<\/strong><\/p>\n
    root@ca:\/opt# openssl ca -config openssl-rootca.conf -extensions client_req_ext -in ha-client1.csr -out ha-client1.crt\nUsing configuration from openssl-rootca.conf\nEnter pass phrase for \/opt\/rootCA.key:\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName           :PRINTABLE:'US'\nstateOrProvinceName   :ASN.1 12:'Connecticut'\nlocalityName          :ASN.1 12:'Wethersfield'\norganizationName      :ASN.1 12:'thejimmahknows'\norganizationalUnitName:ASN.1 12:'Test Unit'\ncommonName            :ASN.1 12:'ha-client1'\nCertificate is to be certified until Feb 25 15:12:16 2017 GMT (365 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nData Base Updated\n<\/pre>\n
    Sign the F5 & HAProxy Client-Side CSR (This is the connection our users will connect to, the VIP)<\/strong><\/p>\n
    root@ca:\/opt# openssl ca -config openssl-rootca.conf -extensions server_req_ext -in virtual-service.csr -out virtual-service.crt\nUsing configuration from openssl-rootca.conf\nEnter pass phrase for \/opt\/rootCA.key:\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName           :PRINTABLE:'US'\nstateOrProvinceName   :ASN.1 12:'Connecticut'\nlocalityName          :ASN.1 12:'Wethersfield'\norganizationName      :ASN.1 12:'thejimmahknows'\norganizationalUnitName:ASN.1 12:'Test Unit'\ncommonName            :ASN.1 12:'mytestvip'\nCertificate is to be certified until Feb 25 15:15:09 2017 GMT (365 days)\nSign the certificate? [y\/n]:y\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y\nWrite out database with 1 new entries\nData Base Updated\n<\/pre>\n
     <\/li>\n
  5. \n
    Configure Apache web-server to enforce the 2-Way “Mutual” Authentication<\/h5>\n
     Apache Config from previous post.<\/strong><\/p>\n
    root@web-server:\/opt# vi \/etc\/apache2\/sites-available\/default.conf\nListen 443\n<VirtualHost *:443>\n        DocumentRoot           \"\/var\/www\/\"\n\n        SSLEngine               on\n        SSLCACertificateFile   \/opt\/rootCA.crt\n        SSLCertificateFile     \/opt\/web-server.crt\n        SSLCertificateKeyFile  \/opt\/web-server.key\n       SSLCARevocationFile    \/opt\/rootCRL.crl\n        SSLStrictSNIVHostCheck on\n        SSLVerifyClient        require\n        SSLVerifyDepth         1\n\n# Allows PHP to read Certificate info\n        SSLOptions +stdEnvVars\n\n        LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined\n        CustomLog \"\/tmp\/access.log\" combined\n        ErrorLog \"\/tmp\/error.log\"\n\n<\/VirtualHost>\n<\/pre>\n
    Restart Apache<\/strong><\/p>\n
    root@web-server:\/opt# service apache2 restart<\/pre>\n
     For Troubleshooting create this index.php file<\/strong><\/p>\n
    <?php\necho \"Date       =   \" . date('Y-m-d H:i:s') . \"<br>\";\n\necho \"Client Cert =  \" . $_SERVER['SSL_CLIENT_S_DN_CN'] . \"<br>\";\necho \"Server Cert =  \" . $_SERVER['SSL_SERVER_S_DN_CN'] . \"<br>\";\necho \"Server Serial =  \" . $_SERVER['SSL_SERVER_M_SERIAL'] . \"<br>\";\n?>\n<\/pre>\n
     <\/li>\n<\/ol>\n
    Masking with F5 LTM:<\/h3>\n
      \n
    1. \n
      Importing Certificates<\/strong><\/h5>\n
      \"\"<\/a><\/p>\n
      \"\"<\/a><\/p>\n