How does CSS handle SSL authentication for clients w/o certificate?

coduong · ‎03-29-2011

Hello,

In the case when the CSS is configured to require client certificate and if validation is set to ignore the failure and insert the certificate into the HTTP header before forwarding the requrest to the server what will happen to the HTTP requrests from clients that do not have certificate at all? Will they be treated as regular failures and get forwarded to the server or will the connections be rejected completely?

The documentation mentions the scenarios for expired, revoked, or invalid certificate but does not mention anything about no certificate. Can someone provide some inputs? Much appreciated.

coduong

Christopher Miles · ‎04-04-2011

Hi Coduong,

This is an interesting question as the behaviour has changed ....

In webns 008.020(003.003) we enhanced the behaviour to allow additional cli options to control this exact behaviour

"ssl-server x no-client-cert [ignore,reject]"

ignore will allow the client through without a certificate. The default is to reject.

In addition

"ssl-server x http-header no-client-cert "text you want inserted""

This will insert the configured text into the Subject-CN field, when the client does not provide a client certificate.

For reference see release notes

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/release/note/RN820_X.html

bug id : CSCso53528

cheers,

Chris

coduong · ‎04-13-2011

Thanks Christopher. Exactly what I'm looking for.