How can we limit the number of accepted client certificates when doing mutual TLS with Azure web apps?
I want to be able to control the trusted issuers list sent to the web browser so that list of allowed certificates can be filtered in the browser. This was possible in IIS and with Azure Cloud Service I believe but how can we do it in a web app?
Schannel documentation for this in Windows Server 2012:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786429(v=ws.11)
What we basically want to do is set the content of the certificate_authorities field in CertificateRequest sent by the server to the browser in the TLS handshake as stated in RFC5246.
I've posted a feature request for this:
https://feedback.azure.com/forums/169385-web-apps/suggestions/35566390-limit-number-of-accepted-client-certificates-when
Related
I have an app service protected by Front Door. App Service access restrictions only allow connections from FrontDoor.
App service accepts https only TLS1.2.. FD routing set to httpsOnly.
Let's Encrypt TLS Cert is setup in keyvault and custom domain setup in Frontdoor.
The backend host header field in FD is left empty, to allow for custom domain to be passed in header to app service to avoid broken redirects and cookies (redirects were going to app service DNS instead of FD)
I added the custom domains to app service.. but getting a warning that there are no TLS bindings.
Do I need them, given I don't allow connections direct to app service but to FD only?
The FrontDoor TLS end to end encryption documentation states the
following:
For HTTPS connections, Azure Front Door expects that your
backend presents a certificate from a valid Certificate Authority (CA)
with subject name(s) matching the backend hostname. As an example, if
your backend hostname is set to myapp-centralus.contosonews.net and
the certificate that your backend presents during the TLS handshake
doesn't have myapp-centralus.contosonews.net or *.contosonews.net in
the subject name, then Azure Front Door will refuse the connection and
as a result an error.
My understanding here is FD relies on the app service hostname and TLS cert (Azure managed) to encrypt its backend connection.
Everything works, and I don't see any security warnings in the browser... but wondering if in fact the backend TLS encryption is being correctly implemented?
I have an App Service that's protected by a TLS certificate. It worked fine with small payloads, however, it started failing with larger payloads.
According to an article, I enabled certificate negotiation for my API Management Service:
https://notetoself.tech/2019/06/13/api-call-with-client-certificate-policy-failing-to-execute-due-to-message-size-on-azure-api-management/
However, it still randomly fails with certificate negotiation error, as seen below:
Important - I do not want to use client authentication between browser <-> API management. I'm using it only between API management <-> App Service.
I could not find any information on this substatus 72 code. What does it mean and can it be fixed? Is Azure client certificate authentication broken and won't work with large payloads?
The Negotiate Client Certificate checkbox will not help here as this is for the mutual auth between the client and your apim service where your problem is between apim and app service. Your app service should force apim to exchange the client certificate during the initial SSL handshake rather than waiting until it is needed.
This problem is not related specifically to azure, see this
https://techcommunity.microsoft.com/t5/networking-blog/https-client-certificate-request-freezes-when-the-server-is/ba-p/339672
The issue description to me or at least to how I understood it does not match with the error code as the 17 substatus code means that the client certificate has expired or is not yet valid.
See this https://www.google.com/search?q=403.17+http+code&oq=403.17+http+code&aqs=chrome..69i57.9265j0j7&client=ms-android-samsung-gn-rev1&sourceid=chrome-mobile&ie=UTF-8
And this https://techcommunity.microsoft.com/t5/iis-support-blog/client-certificate-revisited-how-to-troubleshoot-client/ba-p/348053
I am trying to set the client to nodes SSL encryption for one of our client.
I have confusion regarding the functionality of setting require_client_auth in client_encryption_options in cassandra.yaml and what configuration needs to set from client and cassandra node in case I set require_client_auth to true.
Password authentication is already set,now investigating if there might be any additional advantage to having both ("authenticator: PasswordAuthenticator" and "require_client_auth: true") turned on
As Jim stated, require_client_auth doesn't have anything to do with Cassandra's auth system. It is an additional level of security configuration for client-to-node SSL.
When you implement client-to-node SSL and enable require_client_auth you are enabling what is known as Two Way SSL. Instead of the Cassandra client simply verifying the identity of the server, the server also verifies the certificate used by the client. This doc One Way and Two Way SSL and TLS (Peeples K. 2015) has a good description of this process:
Two-way SSL authentication is also referred to as client or mutual authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.
Establishing the encrypted channel using certificate-based 2-Way SSL involves:
A client requests access to a protected resource.
The server presents its certificate to the client.
The client verifies the server’s certificate.
If successful, the client sends its certificate to the server.
The server verifies the client’s credentials.
If successful, the server grants access to the protected resource requested by the client.
On the other hand, with One Way SSL the client only verifies the server's certificate (from the same doc).
The advantage of Two Way SSL would be in knowing that the Cassandra nodes will not allow a connection from an unknown client certificate.
IMO, one Way SSL still offers a decent degree of security. The dev team will need to present a cert which validates up through the same CA (certificate authority) as the cert from the Cassandra nodes. Two Way SSL might be useful in a large org, helping to keep out connections from applications that have not first talked with your team.
I believe the require_client_auth is for SSL (certificate) communication between the client and server, and that the client must identify itself (you can have it so that the server is the only one that identifies itself).
I have created web connector compatible service and deployed it to cloud. For security, I am planning to do 2-way SSL that includes client authentication i.e. the web connector will provide the certificate and the service will authenticate the client i.e. the web connector. I am planning to host these certificates in a truststore which the web service will use. But, I couldn't find anything in the web connector documentation about how/where I can specify the path for client certificate/key or truststore on web connector side? How do I achieve this?
The Web Connector doesn't support what you're describing, so you won't be able to do this with the Web Connector.
The Web Connector does this for security:
requires all connections to be over SSL/TLS (https) so that data in transit is encrypted
authenticates with a username and a password
You can further secure this by following standard web app security things like:
rate limiting how quickly people can auth
blocking IPs or usernames that fail auth too many times
configuring your web server to only use TLS v1.2 (no SSLv2, SSLv2, or old TLS)
enforce secure passwords
store the passwords on your end hashed
etc.
For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145