i just found out cisco currently isnt support client authentication in SSL.

too bad, any view on when this functionality will be available ?

this functionality will come with software version 2.0 which should come out in november.

Gilles.

Hi Gilles,

Any update on when version 2 will be available ?

regards,

Sebastian

actually my first message was incorrect.

The target is early 2008 for A2.0

Nov was for Ace appliance software on CCO. A1.7

Gilles.

Hi Gilles,

that's a pitty, but we'll keep waiting.

Do you know where i can register for ACE software updates ?

Unfortunately, extracting values from the cert and insert into the HTTP Header did not made it in ACE2.0.

Next big release 3.0 should have it.

Gilles.

Hi Gilles,

I can't exactly determine if these features have been implemented yet ?

And if so, does an example configuration reside somewhere on the cisco site, or can you give a hint in the right direction ?

regards,

Sebastian

Looks like it has been implemented some time ago.

zdenek

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1169832

Hello Gilles,

We had a similar requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1117637

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

   key POS

   cert certfinal.pem

   authgroup POS

   ssl advanced-options POS

Would appreciate if you can help us out in that.

Regards,

Akhtar

Akhtar,

   When doing client authentication, the ACE will request a certificate from the client.  This will be done in the SSL handshake.  If the client does not send a certificate, the handshake will fail.   If the Client does send a certficate, then the ACE will use the certificate in the auth group to autenticate the client certificate. 

In your configuration, you are using cert certfinal.pem in the auth group.  This appears to be the server certificate. If that is the case, then this will not work as it is highly unlikely that the certifcate

cert certfinal.pem was used to sign the client certifcates.  The Authgroup should have the certificate that signed the client certs and not the server cert.

Typicall you would see a certificate chain that would look some thing like this

Root CA--signs the Intermediate CA---which signs the server or Client Certifcate.

Your authgroup should contain the the intermediate and root ca that signed the client certificate.  Then those client certificates must be installed on the client.

As per the client the certfinal.pem is generated with the combination of root certificate,  intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead ?

Regards,

Akhtar