Apr 162019

It is not widely known that SSL interception does not work well in certain scenarios. One of these is mutual authentication. In mutual authentication the client authenticates itself to the server (in addition to classic server authentication). For this to work, the client uses a certificate itself, too. In this scenario SSL interception cannot work, because the proxy server that does the MITM attack/SSL interception cannot impersonate the client (because he does not have the private key for the client certificate) and therefore the proxy is left with two options: 1) fail safe – deny the client connection or 2) fail open – allow the connection at the disadvantage of not being able to break the encryption.

My observations in my scenario where that the McAfee Webgate proxy was doing SSL interception but not on mutual authentication. It was failing open. Awesome. I can tunnel to my Guacamole server!

Here is the most basic configuration for nginx to enable mutual authentication:

Inside nginx.conf inside your server block add:

server {
listen 443 ssl;
# client certificate
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
# make verification optional, so we can display a 403 message to those
# who fail authentication
ssl_verify_client optional;

The ca.crt file can be created using

openssl genrsa -des3 -out ca.key 4096 && openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

This configuration (because it uses ssl_client_verify optional) will not even need client certificates. It will send a client authentication request which will trigger the fail-open state on the proxy and allow the client to access the site as usual without even needing a certificate.