On-premise WAF. Need to implement mutual TLS (mTLS) authentication to restrict access to a Internet-facing web site. Seems straight forward but the testing so far hasn't restricted access like we expect.
1. I created two client certificates.
- The first certificate is named clientcert.abc.com. Lets call this the "correct" certificate. This is the cert we want the WAF to permit, and block all others.
- The second certificate is named badcert.abc.com.
- Both certificates were generated by the same Certificate Authority.
2. WAF Gateway is in non-transparent reverse proxy WAF mode. On the Reverse Proxy tab:
- The External Hostname field is configured with the FQDN of the web site testapps6.example.com.
- The Client Certificate field is configured with the correct client SSL certificate clientcert.abc.com.
- The Client Authentication Authorities field is configured with the root and intermediate certificates of the Certificate Authority (the Certificate Authority that generated clientcert.abc.com and badcert.abc.com).
3. Test #1
- In my client (Firefox web browser) I installed the BADCERT.abc.com
- In the Firefox web browser I went to the web site testapps6.example.com. Firefox prompted me to submit a client certificate. I submitted badcert.abc.com
- The web site testapps6.example.com loaded successfully. This was NOT the expected results. I expected to be blocked by the WAF due to submitting a client certificate that didn't match what was configured in the WAF.
4. Test #2
- In my client (Firefox web browser) I still have badcert.abc.com
- In the Firefox web browser I went to the web site testapps6.example.com. Firefox prompted me to submit a client certificate. I DID NOT submit any certificate.
- The WAF blocked the connection. This is expected since no client certificate was submitted. But this is also the expected result when an incorrect client certificate is submitted, but that's not what happened during test #1.
Any ideas?
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Thanks,
Fred
------------------------------