Friday Sep 18, 2009

Two WAY SSL in Sun Web Server 7.0 reverse proxy server and origin server

Two Way SSL in Oracle iPlanet Web Server 7.0 reverse proxy server and origin server

Origin Server <--- HTTPS ---> Reverse Proxy Server <--- HTTPS ---> client/Browser

There are various SSL and non SSL configurations we can have for Reverse Proxy and Origin Servers

  1. Origin Server <--- HTTP ---> Reverse Proxy Server <--- HTTP ---> client/Browser
  2. Origin Server <-- HTTP ---> Reverse Proxy Server <-- HTTPS --> client/Browser i.e. Reverse proxy SSL termination End point
  3. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP --> client/Browser
  4. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTPS --> client/Browser

In this blog I will try out SCENARIO 4 - with and without enabling client-auth in reverse proxy server and origin server instance, with and without ssl-client-config SAF.

For this I have setup two Oracle iPlanet Web Server 7.0 update 9 instances.

One acting as a reverse proxy (instance name rps) and the other origin server(instance name origs) that serves the request.


This blog is split into the following four sub parts

Enable SSL on both Origin Server and Reverse Proxy Server AND
  1. no client authentication anywhere - Origin Server sends its Server certificate to Reverse Proxy Server.
  2. enable client-auth on Reverse Proxy Server - client/browser sends its certificate to Reverse Proxy Server AND Origin Server sends its certificate to Reverse Proxy server.
  3. enable client-auth on Origin Server, set ssl-client-config SAF on Reverse Proxy Server(OPTIONAL) - Origin Server and Reverse Proxy Server both send their certificates to each other.
  4. enable client-auth on Origin Server and Reverse Proxy Servers, set ssl-client-config SAF on Reverse Proxy Server(OPTIONAL) - client/browser sends its certificate to Reverse Proxy Server AND Origin Server and Reverse Proxy Server send certificates to each other.


1. Enable SSL on both Origin Server and Reverse Proxy Server, no client authentication anywhere - Origin Server sends its Server certificate to Reverse Proxy Server.

1.1 Install Server Certificate in Reverse Proxy Server instance

I created self signed certificate in reverse proxy server. You can use Admin Server CLI to create a self-signed certificate

wadm>create-selfsigned-cert --config=rps

--server-name=www.rps.com --nickname=Server-Cert-RP

wadm>deploy-config rps

Or you can use certutil followed by pull-config

$cd <reverse-proxy-install-dir>/https-rps/config
$../../bin/certutil -N -d . (if DBs do not exist already)
$../../bin/certutil -S -d . -n Server-Cert-RP 
          -s "CN=www.rps.com" -x -t "CT,CT,CT"

Verify it with certutil :

$../../bin/certutil -L -d <reverse-proxy-install-dir>/https-rps/config
Certificate Nickname                       Trust Attributes
                                           SSL,S/MIME,JAR/XPI
Server-Cert-RP                             CTu,Cu,Cu

1.2 Install Server Certificate in Origin Server instance

I created self signed certificate in origin server. You can use Admin Server CLI to create a self signed certificate

wadm>create-selfsigned-cert --config=origs

--server-name=www.origs.com --nickname=Server-Cert-OS

wadm>deploy-config origs

Or you can use certutil followed by pull-config

$cd <origin-server-install-dir>/https-rps/config
$../../bin/certutil -N -d . (if DBs do not exist already)
$../../bin/certutil -S -d . -n Server-Cert-OS 
     -s "CN=www.origs.com" -x -t "CT,CT,CT"

Verify it with certutil that the certificate exists :

$../../bin/certutil -L -d <origin-server-install-dir>/https-origs/config
Certificate Nickname                       Trust Attributes
                                           SSL,S/MIME,JAR/XPI
Server-Cert-OS                             CTu,Cu,Cu

1.3 Changes made in Reverse Proxy Web Server Instance

1.3.1 Run create-reverse-proxy CLI from Administration server

wadm>create-reverse-proxy --config rps --vs rps --uri-prefix=/ 
    --server=https://www.origs.com:4444

\*obj.conf gets modified as shown below :

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="/"
...
</Object>
<Object ppath="\*">
Service fn="proxy-retrieve" method="\*"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="https://www.origs.com:4444"
</Object>

In obj.conf I have configured reverse proxy in such a way that all requests are redirected to origin server.

In real world situation you can if you want redirect only certain requests depending on your requirements.

1.3.2 Enable SSL in http-listener, set the server certificate nickname (if its different from "Server-Cert"). 

You can use Admin Server CLI to do these steps.

Enable SSL for this listener, set the server certificate nickname and deploy config

wadm> set-ssl-prop --config=rps --http-listener=http-listener-1

server-cert-nickname=Server-Cert-RP enabled=true

wadm>deploy-config rps

server.xml should get modified to look like

<http-listener>
    <name>http-listener-1</name>
    <port>3333</port>
    <server-name>www.rps.com</server-name>
    <default-virtual-server-name>rps</default-virtual-server-name>
   <ssl>
   <server-cert-nickname>Server-Cert-RP</server-cert-nickname>
   </ssl>
</http-listener>

1.4 Changes made in Origin Server Web Server Instance

1.4.1 Enable SSL in http-listener, set server certificate nickname (if its different from "Server-Cert") .

You can use Admin Server CLI to do these steps.
Enable SSL for this listener and set the server certificate nickname and deploy config.

wadm> set-ssl-prop --config=origs --http-listener=http-listener-1

      server-cert-nickname=Server-Cert-OS enabled=true

wadm> deploy-config origs

server.xml should get modified to look like

<http-listener>    
    <name>http-listener-1</name>  
    <port>4444</port>
    <server-name>www.origs.com</server-name>
    <ssl>
        <server-cert-nickname>Server-Cert-OS</server-cert-nickname>
    </ssl>
    <default-virtual-server-name>origs</default-virtual-server-name>
</http-listener>

1.4.2 Create a test.html file in origin server :

$cat ../docs/test.html 
This is test.html

1.5 Export Origin Server CA certificate and import it into Reverse Proxy Server NSS DBs

$../../bin/certutil -L -d https-origs/config -n Server-Cert-OS -a | tee /tmp/os.cert

$../../bin/certutil -A -n Server-Cert-OS -a -i /tmp/os.cert -d https-rps/config -t "CT,CT,CT"

Reverse Proxy Server should have two certificates

$../../bin/certutil -L -d .                
Certificate Nickname               Trust Attributes
                                   SSL,S/MIME,JAR/XPI

ServerCertRP                       CTu,Cu,Cu
ServerCertOS                       CT,C,C

1.6 Send a request through browser to Reverse Proxy Server test.html.

Origin should serve the request. You can see the request is being served from origin server.

We can check the entries in both the access logs of reverse proxy server and origin server to confirm.

Note that browser may give a warning that this reverse proxy server is not issued by a valid CA.

That's ok because its a self signed certificate.

If you install a certificate from trusted CAs this message will not come up.

1.7 Attach ssltap to confirm the SSL communication

I have attached ssltap in between origin server and reverse proxy server

$ssltap -l -p 1924 -s origs:4444
    Connection #1 [Mon Nov  8 13:46:48 2010]
    Connected to origs:4444

--> [ (client to server)        
    recordLen = 75 bytes
    (75 bytes of 75)
    [Mon Nov  8 13:46:48 2010] [ssl2]  ClientHelloV2 {
               version = {0x03, 0x01}
               cipher-specs-length = 48 (0x30)
               sid-length = 0 (0x00)
               challenge-length = 16 (0x10)
               cipher-suites = { 
                    (0x010080) SSL2/RSA/RC4-128/MD5
                    (0x030080) SSL2/RSA/RC2CBC128/MD5
                    (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                    (0x060040) SSL2/RSA/DES56-CBC/MD5
                    (0x020080) SSL2/RSA/RC4-40/MD5
                    (0x040080) SSL2/RSA/RC2CBC40/MD5
                    (0x000004) SSL3/RSA/RC4-128/MD5
                    (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                    (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                    (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                    (0x000009) SSL3/RSA/DES56-CBC/SHA
                    (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                    (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                    (0x000003) SSL3/RSA/RC4-40/MD5
                    (0x000006) SSL3/RSA/RC2CBC40/MD5
                    (0x0000ff) ????/????????/?????????/???
                    }
               session-id = { }
               challenge = { 0x4fad 0xcb84 0x9b5a 0x07a1 ... }
    }
    ]

<-- [ (server to client)
    (518 bytes of 513)
    SSLRecord { [Mon Nov  8 13:46:48 2010]
       type    = 22 (handshake)
       version = { 3,1 }
       length  = 513 (0x201)
       handshake {
          type = 2 (server_hello)
          length = 77 (0x00004d)
             ServerHello {
                server_version = {3, 1}
                random = {...}
                session ID = {
                    length = 32
                    contents = {...}
                }
                cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
                compression method = (00) NULL
                extensions[5] = {
                  extension type 65281, length [1] = {
                    0: 00         | .
                  }
                }
             }
          type = 11 (certificate)
          length = 424 (0x0001a8)
             CertificateChain {
                chainlength = 421 (0x01a5)
                Certificate {
                   size = 418 (0x01a2)
                   data = { saved in file 'cert.001' }
                }
             }
          type = 14 (server_hello_done)
          length = 0 (0x000000)
       }
    }
    ]
    ...    
As you can see Origin Server sent one certificate cert.001 to Client(Reverse Proxy Server).
$openssl x509 -in cert.001 -text -inform DER

Certificate:
    Data: 
        Version: 3 (0x2) 
        ...
        Signature Algorithm: sha1WithRSAEncryption 
        Issuer: CN=www.origs.com 
        Validity 
            Not Before: Nov  8 08:09:20 2010 GMT
            Not After : Feb  8 08:09:20 2011 GMT
        Subject: CN=www.origs.com
       ...         

2. Enable SSL on both Origin Server and Reverse Proxy Server, enable client-auth on Reverse Proxy Server - client/browser sends its certificate to Reverse Proxy Server AND Origin Server sends its certificate to Reverse Proxy server.

Follow all the steps as step 1.

2.1 Enable client authentication on reverse proxy server 

Just change the step # 1.4.1, set client authentication as "required" also:

wadm> set-ssl-prop --config=rps --http-listener=http-listener-1 
      server-cert-nickname=Server-Cert-RP enabled=true 
      client-auth=required
server.xml of reverse proxy server should get modified to look like
<http-listener>   ...  
 <ssl> 
     <server-cert-nickname>Server-Cert-RP</server-cert-nickname>
     <client-auth>required</client-auth>
 </ssl>
</http-listener>

2.2 Test Client I used to send request to reverse proxy server

I used "tstclnt which is bundled with NSS-NSPR binaries in bin directory.

Created a test request file

$cat > sslreq.dat
GET /test.html HTTP/1.0\^M  
\^M

Create a client certificate and import it s CA as trusted CA (flag "C") in Reverse Proxy Instance NSS DBs. For faster results, I created client certificate in Reverse Proxy NSS DB itself

$../bin/certutil -S -d https-rps/config -n ClientCert -s "CN=alpha" -x -t "CT,CT,CT"

Sent request to the reverse proxy server.



$tstclnt -h www.rps.com -p 3333  -n ClientCert 
         -d https-rps/config -c n -v -o -f < sslreq.dat 
...    
tstclnt: SSL version 3.1 using 128-bit RC4 with 160-bit SHA1 MAC    
tstclnt: Server Auth: 1024-bit RSA, Key Exchange: 1024-bit RSA    
subject DN: CN=www.rps.com 
issuer  DN: CN=www.rps.com
...
HTTP/1.1 200 OK
...    
This is test.html
...

You can see the request is being served from origin server. I have used in this test client cipher "n" which is SSL3 RSA WITH RC4 128 SHA.

I can see that cipher at the time of server startup when run in <log-level>finest</log-level>.

You can verify that the ssltap output between origin Server and Reverse Proxy Server of this is same as section #1.


3. Enable SSL on both Origin Server and Reverse Proxy Server, enable client-auth on Origin Server, set ssl-client-config SAF on Reverse Proxy Server(OPTIONAL) - Origin Server and Reverse Proxy Server both send their certificates to each other.

About ssl-client-config SAF

Refer http://docs.sun.com/app/docs/doc/821-1827/gdhqy?l=en&a=view

By default reverse proxy server doesn't send the certificate to the origin server.

To send the Reverse Proxy Server certificate to the Origin Server, use "ssl-client-config" SAF and set "client-cert-nickname" parameter that takes the nickname of the client certificate to present to the Origin Server.

Follow all the steps as section 1.

3.1 OPTIONAL : Add ssl-client-config SAF in obj.conf of Reverse Proxy Server - to set the nickname of the certificate it will send to Origin Server

Modify obj.conf to have ssl-client-config SAF
ObjectType fn="ssl-client-config" client-cert-nickname="Server-Cert-RP"

Reverse Proxy Server will send any appropriate certificate it can find if this SAF ssl-client-config is not present.

3.2 Enable client-auth on Origin Server in which case Reverse Proxy Server will send certificate to Origin Server

Just change the step #s 1.4.1 and set client authentication as "required" or "optional" on Origin Server :

wadm> set-ssl-prop --config=origs --http-listener=http-listener-1
                server-cert-nickname=Server-Cert-OS enabled=true 
                client-auth=required

server.xml of origin server should get modified to look like

<http-listener>

...

 <ssl><server-cert-nickname>Server-Cert-OS</server-cert-nickname>

<client-auth>required</client-auth> </ssl>

</http-listener>

3.3 Export Reverse Proxy Server CA certificate and import it into Origin Server NSS DB

$../../bin/certutil -L -d https-rps/config -n Server-Cert-RP -a | tee /tmp/rp.cert

$../../bin/certutil -A -n Server-Cert-RP -a -i /tmp/rp.cert -d https-origs/config -t "CT,CT,CT"

Origin Server also should now have two certificates :

$../../bin/certutil -L -d .                
Certificate Nickname          Trust Attributes
                              SSL,S/MIME,JAR/XPI

ServerCertOS                  CTu,Cu,Cu
ServerCertRP                  CT,C,C

3.4 Send a test request and attach ssltap to see what's going on

Now send a request through the browser. It should serve the page.

Using ssltap we confirm that two certificates are being sent.

In this case, Client is reverse proxy server and server is origin server.

$ssltap -p 1924 -l -s origs:4444
Connection #1 [Mon Nov  8 16:26:07 2010]
Connected to origs:4444
--> [ (client to server)
recordLen = 75 bytes
(75 bytes of 75)
 [Mon Nov  8 16:26:07 2010] [ssl2]  ClientHelloV2 {
           version = {0x03, 0x01}
           cipher-specs-length = 48 (0x30)
           sid-length = 0 (0x00)
           challenge-length = 16 (0x10)
           cipher-suites = { 
                (0x010080) SSL2/RSA/RC4-128/MD5
                (0x030080) SSL2/RSA/RC2CBC128/MD5
                (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
                (0x060040) SSL2/RSA/DES56-CBC/MD5
                (0x020080) SSL2/RSA/RC4-40/MD5
                (0x040080) SSL2/RSA/RC2CBC40/MD5
                (0x000004) SSL3/RSA/RC4-128/MD5
                (0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
                (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
                (0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
                (0x000009) SSL3/RSA/DES56-CBC/SHA
                (0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
                (0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
                (0x000003) SSL3/RSA/RC4-40/MD5
                (0x000006) SSL3/RSA/RC2CBC40/MD5
                (0x0000ff) ????/????????/?????????/???
                }
           session-id = { }
           challenge = { 0xe793 0x10b4 0xf9b2 0x826d 0... }
}
]
<-- [ (server to client)
(577 bytes of 572)
SSLRecord { [Mon Nov  8 16:26:07 2010]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 572 (0x23c)
   handshake {
      type = 2 (server_hello)
      length = 77 (0x00004d)
         ServerHello {
            server_version = {3, 1}
            random = {...}
            session ID = {
                length = 32
                contents = {...}
            }
            cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
            compression method = (00) NULL
            extensions[5] = {
              extension type 65281, length [1] = {
               0: 00            | .
              }
            }
         }
      type = 11 (certificate)
      length = 424 (0x0001a8)
         CertificateChain {
            chainlength = 421 (0x01a5)
            Certificate {
               size = 418 (0x01a2)
               data = { saved in file 'cert.001' }
            }
         }
      type = 13 (certificate_request)
      length = 55 (0x000037)
         CertificateRequest {
            certificate types[3] = { 01 02 40 }
            certificate_authorities[49] = {
   CN=www.rps.com
   CN=www.origs.com
            }
         }
      type = 14 (server_hello_done)
      length = 0 (0x000000)
   }
}
]
--> [ (client to server)
(750 bytes of 702, with 43 left over)
SSLRecord { [Mon Nov  8 16:26:07 2010]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 702 (0x2be)
   handshake {
      type = 11 (certificate)
      length = 430 (0x0001ae)
         CertificateChain {
            chainlength = 427 (0x01ab)
            Certificate {
               size = 424 (0x01a8)
               data = { saved in file 'cert.002' }
            }
         }
      type = 16 (client_key_exchange)
      length = 130 (0x000082)
         ClientKeyExchange {
            message = {...}
         }
      type = 15 (certificate_verify)
      length = 130 (0x000082)
   }
}
(750 bytes of 1, with 37 left over)
SSLRecord { [Mon Nov  8 16:26:07 2010]
   type    = 20 (change_cipher_spec)
   version = { 3,1 }
   length  = 1 (0x1)
}
(750 bytes of 32)
SSLRecord { [Mon Nov  8 16:26:07 2010]
   type    = 22 (handshake)
   version = { 3,1 }
   length  = 32 (0x20)
            < encrypted >
}
]
...

This shows that :

  • origin server sends the certificate(cert.001) to the reverse proxy server and
  • reverse proxy sends the certificate(cert.002) to the origin server. 
  • Origin Server sent certificate cert.001(Server-Cert-OS) to Client(Reverse Proxy).
  • and Client(Reverse Proxy Server) sent certificate cert.002(Server-Cert-RP) to Origin Server.

$openssl x509 -in cert.001 -text -inform DER Certificate: Data: 

   Version: 3 (0x2) ...     Signature Algorithm: sha1WithRSAEncryption     Issuer: CN=www.origs.com     Validity         Not Before: Nov  8 08:09:20 2010 GMT         Not After : Feb  8 08:09:20 2011 GMT     Subject: CN=www.origs.com

...

$openssl x509 -in cert.002 -text -inform DER Certificate: Data: Version: 3 (0x2) ...

Signature Algorithm: sha1WithRSAEncryption Issuer: CN=www.rps.com Validity Not Before: Nov 8 08:09:50 2010 GMT Not After : Feb 8 08:09:50 2011 GMT Subject: CN=www.rps.com

... 


4. Enable SSL on both Origin Server and Reverse Proxy Server, enable client-auth on Origin Server and Reverse Proxy Servers, set ssl-client-config SAF on Reverse Proxy Server(OPTIONAL) - client/browser sends its certificate to Reverse Proxy Server AND Origin Server and Reverse Proxy Server send certificates to each other


Follow all the steps as step 1.

4.1 Enable client-auth on reverse proxy server 

Just change the step # 1.4.1, set client authentication as "required" also:

wadm> set-ssl-prop --config=rps --http-listener=http-listener-1 
      server-cert-nickname=Server-Cert-RP enabled=true 
      client-auth=required
server.xml of reverse proxy server should get modified to look like
<http-listener>   ...  
 <ssl> 
     <server-cert-nickname>Server-Cert-RP</server-cert-nickname>
     <client-auth>required</client-auth>
 </ssl>
</http-listener>

4.2  OPTIONAL : Add ssl-client-config SAF in obj.conf of Reverse Proxy Server - to set the nickname of the certificate it will send to Origin Server

 Modify obj.conf to have ssl-client-config SAF 

...
ObjectType fn="ssl-client-config" client-cert-nickname="Server-Cert-RP"
...

Reverse Proxy Server will send any appropriate certificate it can find if this SAF ssl-client-config is not present. 


4.3  Enable client-auth on Origin Server in which case Reverse Proxy Server will send  certificate to Origin Server

Just change the step #s 1.4.1 and set client authentication as "required" or "optional" on Origin Server :

wadm> set-ssl-prop --config=origs --http-listener=http-listener-1
                server-cert-nickname=Server-Cert-OS enabled=true 
                client-auth=required

server.xml of origin server should get modified to look like

<http-listener>

...

 <ssl><server-cert-nickname>Server-Cert-OS</server-cert-nickname>

<client-auth>required</client-auth> </ssl>

</http-listener>

4.4  Export Reverse Proxy Server CA certificate and import it into Origin Server NSS DBs

$../../bin/certutil -L -d https-rps/config -n Server-Cert-RP -a | tee /tmp/rp.cert

$../../bin/certutil -A -n Server-Cert-RP -a -i /tmp/rp.cert -d https-origs/config -t "CT,CT,CT"

Verify that Origin Server also should now have two certificates

$../../bin/certutil -L -d .                
Certificate Nickname          Trust Attributes
                              SSL,S/MIME,JAR/XPI

ServerCertOS                  CTu,Cu,Cu
ServerCertRP                  CT,C,C

4.5 OPTIONAL : Changing Log Settings in server.xml :

I have also modified access log format both in Reverse Proxy and in Origin Server
<access-log>
...    
    <format>
    %Ses->client.ip% "%Req->reqpb.clf-request%"
    %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% 
    %Ses->client.cipher% %Req->vars.auth-cert% 
    %Req->headers.proxy-auth-cert%
    </format>
</access-log>

Note the contents in between <format></format> should be in one line

I have put it in 2 lines so that its easy to see.

4.6 : Test Client used to send Request to Reverse Proxy Server

I used "tstclnt" which is bundled with NSS-NSPR binaries in bin directory. Created a test request file
$cat > sslreq.dat
GET /test.html HTTP/1.0\^M  
\^M

Create a client certificate and import it s CA as trusted CA (flag "C") in Reverse Proxy Instance NSS DBs.

For faster results, I created client certificate in Reverse Proxy NSS DB itself

$./bin/certutil -S -d https-rps/config -n ClientCert -s "CN=alpha" -x -t "CT,CT,CT"

Now send a request to the Reverse Proxy Server

$tstclnt -h www.rps.com -p 3333  -n ClientCert 
         -d https-rps/config -c n -v -o -f < sslreq.dat 
...    
tstclnt: SSL version 3.1 using 128-bit RC4 with 160-bit SHA1 MAC    
tstclnt: Server Auth: 1024-bit RSA, Key Exchange: 1024-bit RSA    
subject DN: CN=www.rps.com 
issuer  DN: CN=www.rps.com
...
HTTP/1.1 200 OK
...    
This is test.html
...

You can see the request is being served from origin server. I have used in this test client cipher "n" which is SSL3 RSA WITH RC4 128 SHA.

I can see that at the time of server startup when run in <log-level>finest</log-level>.

You can use other ciphers as well.

Access log of Reverse Proxy Web Server shows ONE certificate in auth-cert vars pblock

$cat ../logs/access
format=%Ses->client.ip% "%Req->reqpb.clf-request%" 
%Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%  
%Ses->client.cipher% 
%Req->vars.auth-cert%
%Req->headers.proxy-auth-cert% 
xxx.xxx.xxx.xxx "GET /test.html HTTP/1.0" 
200 18
RC4

MIIBmDCCAQGgAwIBAgIFAJKp8cowDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMF
...
RiyrKq9SuMfqI8b++8613QMSJYwdVCFi1DrDGw==

-

Note cipher is RC4.

You can verify that in Reverse Proxy Server instance, the certificate in pblock vars->auth-cert is the Client Certificate.

$certutil -L -d https-rps/config -n ClientCert -a
-----BEGIN CERTIFICATE-----
MIIBmDCCAQGgAwIBAgIFAJKp8cowDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMF

...

RiyrKq9SuMfqI8b++8613QMSJYwdVCFi1DrDGw==
-----END CERTIFICATE-----

Access log of origin server  shows one certificate in vars->auth-cert and ONE certificate in Headers pblock in proxy-auth-cert:

$cat ../logs/access
format=%Ses->client.ip% "%Req->reqpb.clf-request%"
%Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%
%Ses->client.cipher%
%Req->vars.auth-cert%
%Req->headers.proxy-auth-cert% 
xxx.xxx.xxx.xxx "GET /test.html HTTP/1.1" 
200 18
RC4 

MIIBpDCCAQ2gAwIBAgIFAJKQxLEwDQYJKoZIhvcNAQEFBQAwFjEUMBIGA1UEAxML
...
L0wNBvqTkA7a4nagsj0UFRCUxfL1AjMRDJp6v7BGQRBcx2nrvgb+Bg== 

MIIBmDCCAQGgAwIBAgIFAJKp8cowDQYJKoZIhvcNAQEFBQAwEDEOMAwGA1UEAxMF
...
RiyrKq9SuMfqI8b++8613QMSJYwdVCFi1DrDGw==

You can verify that in the Origin Server instance,

the certificate in pblock vars->auth-cert is the Reverse Proxy Server Certificate and

the certificate in pblock headers->proxy-auth-cert is the Client Certificate(browser/tstclnt sent to Reverse Proxy Server) .


You can use certutil                 

$certutil -L -d https-rps/config -n Server-Cert-RP -a -----BEGIN CERTIFICATE----- MIIBpDCCAQ2gAwIBAgIFAJKQxLEwDQYJKoZIhvcNAQEFBQAwFjEUMBIGA1UEAxML ... L0wNBvqTkA7a4nagsj0UFRCUxfL1AjMRDJp6v7BGQRBcx2nrvgb+Bg== -----END CERTIFICATE-----

OR you can use openssl to confirm

$openssl s_client -connect www.rps.com:3333 -showcerts ... Certificate chain 0 s:/CN=www.rps.com i:/CN=www.rps.com -----BEGIN CERTIFICATE----- MIIBpDCCAQ2gAwIBAgIFAJKQxLEwDQYJKoZIhvcNAQEFBQAwFjEUMBIGA1UEAxML ... L0wNBvqTkA7a4nagsj0UFRCUxfL1AjMRDJp6v7BGQRBcx2nrvgb+Bg== -----END CERTIFICATE-----

... 


ssltap output between origin server and reverse proxy server will be same as section #3 above.

References

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today