no prompt for client certificates?
I have mTLS enabled for my domain, together with a WAF rule that blocks non-mTLS authenticated requests, and installed a cloudflare issued client certificate on my machine.
however when i try to visit my site using chrome or firefox the window to select a certificate to present never opens, and i just get blocked.
is there a configuration step for mTLS that i've missed?
29 Replies
nevermind...
@Idle what did you end up doing?
you having the same issue?
yeah. I created a client cert. added to cert stores. and WAF just doesnt seem to notice my client cert
really trustrating. Like I would think adding it to cert store and browser it would present on request nad move through
it's a perspective / understanding problem
the underlying assumption that the waf takes care of requesting the client certificate isn't entirely correct, because if your browser has previously visited the site without needing to present a certificate, it will just assume it will never have to present one
long story short, clear your browser cache
or use an incognito tab
Interesting
A while ago you could lock clients permanently lock out from your site with HPKP and long pinning periods and then being forced to change your certs. Thank goodness this madness has passed.
i must be doing something wrong. I added the PFX to my cert store. Cleared Cache and ignitoed and am still hitting block page
if you are not getting a prompt even in incognito then it either means you have mTLS configured incorrectly or your browser is being weird
i just have the WAF rule in play
did you actually enable mTLS for that host?
having only a waf rule is not enough
where in the heck is that burried >.<
ssl/tls > client certificates
OMG
it coulda slapped me in face
....
however, if you are simply trying to restrict access to your site, I would suggest going with zero trust/access
makes it a lot more convenient to manage and overview who has access and what actions are taken to your site
sooo, the funny thing is... this IS for ZT
then I'd dare say you would be better off using cf ZT
we have OFAC type rules in our WAF and it ends up blocking our contractors trying to access our ZT Tunnel hosted sites
my logic was I want to do a cert check, then bypass whole WAF
vs. baby sitting a Zone trust rule with IPs
that's not what zt is about
im aware
that's... interesting
but I am saying my regional waf rules are blocking access to ZT
trying to find a nice scalable way to bypass WAF for specific users without baby sitting non static ips
so my brain thought a cert check on waf
tbh I couldn't come up with a different way off the top of my head either
this sounds like an interesting problem
may I dm you ?
sure
friend request me 🙂