Resolution:
Check Client Configuration: Ensure the client is correctly configured to present an SSL certificate when making requests to the server. This often involves setting up the client with the necessary certificate files (certificate and private key) and configuring it to use them in requests.
Server Requirements: Verify the server's requirements for client certificates, including the CA (Certificate Authority) that must issue them, any necessary client certificate fields (like CN, SANs), and ensure your client certificate matches these criteria.
Certificate Trust: Make sure that the server trusts the CA that issued the client's certificate, and the client's certificate chain is correctly set up.
Debugging Tools: Use tools like curl with verbose logging, browser developer tools, or network analyzers like Wireshark to examine the SSL/TLS handshake process and identify where the failure occurs.
Server Configuration: Review the server's SSL/TLS configuration to ensure it's set up to request (but not necessarily require) client certificates if not all clients will provide them. Adjust configurations accordingly based on the application's security requirements.
What's the Edge SWG's role in this:The Edge SWG simply tunnels this request (do not detect protocol and do not authenticate). To execute this within the Proxy, please implement the CPL script below. If this access utilizes any other URL, add them under the "define condition_Allow".
;===========For Explicit Deployments ===========================================
<proxy>
condition=underwriteme_Allow detect_protocol(no) authenticate(no) ALLOW
define condition underwriteme_Allow
<the_target_url>
end
;===========================================================================
We recommend to do this from CPL and not on the VPM. If you must use the VPM, ensure to also not authenticate for all the related URLs.
Following the investigation done, we can confirm that the reported error isn't caused by the Proxy but by the client, having not sent the expected certificate, required by the server, to authenticate it's access. From the evidence we received, while we can see the server certificate details, there isn't a client certificate presented. Please see the sample snippet below, as reference.
With mTLS, note that the server is configured to require client certificates for certain requests. This is typically done for APIs, web services, or specific paths within a web application that need higher security.
The client, which could be a browser, a script (e.g., using curl), or another service, attempts to establish a connection without providing the required SSL certificate. This could be due to misconfiguration, the absence of a certificate, or incorrect client setup. So, ensure the client makes the request, presenting the required certificate.