Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  Experience with mTLS authentication?

    Posted 05-24-2024 12:04

    On-premise WAF.   Need to implement mutual TLS (mTLS) authentication to restrict access to a Internet-facing web site.  Seems straight forward but the testing so far hasn't restricted access like we expect.

    1.       I created two client certificates.

    -          The first certificate is named clientcert.abc.com.   Lets call this the "correct" certificate.  This is the cert we want the WAF to permit, and block all others.

    -          The second certificate is named badcert.abc.com.

    -          Both certificates were generated by the same Certificate Authority.

    2.       WAF Gateway is in non-transparent reverse proxy WAF mode.  On the Reverse Proxy tab:

    -          The External Hostname field is configured with the FQDN of the web site testapps6.example.com.

    -          The Client Certificate field is configured with the correct client SSL certificate clientcert.abc.com.

    -          The Client Authentication Authorities field is configured with the root and intermediate certificates of the Certificate Authority (the Certificate Authority that generated clientcert.abc.com and badcert.abc.com).

    3.       Test #1

    -          In my client (Firefox web browser) I installed the BADCERT.abc.com

    -          In the Firefox web browser I went to the web site testapps6.example.com.  Firefox prompted me to submit a client certificate.  I submitted badcert.abc.com

    -          The web site testapps6.example.com loaded successfully.  This was NOT the expected results.   I expected to be blocked by the WAF due to submitting a client certificate that didn't match what was configured in the WAF.

    4.       Test #2

    -          In my client (Firefox web browser) I still have  badcert.abc.com

    -          In the Firefox web browser I went to the web site testapps6.example.com.  Firefox prompted me to submit a client certificate.  I DID NOT submit any certificate.

    -          The WAF blocked the connection.  This is expected since no client certificate was submitted.   But this is also the expected result when an incorrect client certificate is submitted, but that's not what happened during test #1.

    Any ideas?


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Thanks,
    Fred
    ------------------------------



  • 2.  RE: Experience with mTLS authentication?

    Posted 17 days ago
    Edited by Syed Noor Fazal 17 days ago

    Hello Fred,

    Thank you for the post, i see that you have opened a support ticket regarding this and had a discussion on how the mTLS support/works on the On-Prem device.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------

    Original Message