ServerIron ADX Security Guide 167
53-1002440-03
Advanced SSL profile configuration 6
Enabling certificate verification
The ServerIronADX can be optionally configured to enforce client certificate verification. When
client certificate verification is configured, the ServerIronADX requires all clients to present their
signed certificates. The certificates are compared against trusted CAs and a connection is allowed
or denied.
You can enable client certificate verification on a per-ssl-handshake or per-connection basis in one
of two modes:
Request mode
Require mode
In request mode, a client-certificate is requested. The connection is allowed if the client presents a
valid certificate, or if a certificate is not presented at all. The connection is denied if a client
presents an invalid, revoked, or expired certificate.
In require mode, a client-certificate is always required.
Client-authentication can be used in the following four combinations:
Per-connection request
Per-connection re quire
Per-ssl-handshake request
Per-ssl-handshake require
Syntax: verify-client-cert <per-ssl-handshake/per-ssl-connection> <request/require>
per-ssl-handshake - Requests a client certificate for every new SSL handshake.
per-connection - Requests a client certificate for every new SSL connection.
The difference between the two modes is apparent if SSL session caching is enabled. When this is
the case, multiple SSL connections share the same SSL session, without performing a full SSL
handshake for each connection.
Client certificate verification in SSL Proxy Mode
SSL Proxy mode has two traffic segments: from the client to the ServerIronADX and from the
ServerIronADX to the server.
In the first segment, the ServerIronADX acts a server to a browser-based client. In the second
segment, ServerIronADX acts as a client to the real server.
In some cases the real server is configured so that only clients with valid certificates can connect to
it. Because the ServerIronADX is also a client, it must have a valid client certificate to connect to
the real server. A client certificate can be obtained from a CA, and uploaded to the ServerIronADX.
Once uploaded, the client certificate should be configured in the server ssl profile using the
following commands:
keypair-file - To configure client-certificate key
certificate file - To configure client-certificate
Client certificate verification in the second traffic segment (from the ServerIronADX to the server)
can also be enabled. In this configuration, the real server allows a connection only from the
ServerIronADX. No other device is allowed. To connect to the real server, the ServerIronADX must
present a client certificate issued by a CA and trusted by the server.
To successfully complete this process, the ServerIronADX requires the following items: