It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Login Sign Up Contact & Support

United States – English (GMT-5)

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud-to-Cloud Backup

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Web Security Agent

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

Reporting Server

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Firewall Policy Manager

Server Backup (Yosemite)

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup

MSP – Partner Management

MSP Knowledgebase

MSP – Partner Sales Enablement

NextGen Firewall X

Campus Help Center / Reference

Support Services

Network Security

Barracuda CloudGen Firewall

Overview Documentation Training Certification Materials

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud-to-Cloud Backup

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Web Security Agent

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

Reporting Server

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Firewall Policy Manager

Server Backup (Yosemite)

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup

MSP – Partner Management

MSP Knowledgebase

MSP – Partner Sales Enablement

NextGen Firewall X

Campus Help Center / Reference

Support Services

Network Security

Login Sign Up Contact & Support

United States – English (GMT-5)

Back to Knowledgebase

Secure Web Proxy problem with 'Client Certificate' based authentication

Type: Knowledgebase
Date changed: 2 years ago

Solution #00005265

Scope:

This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

Symptoms:

If a webserver is configured to use client certificates as authentication procedure, the ssl handshake from the secure web proxy to the webserver fails and therefore a connection can not be established.

Solution:

The secure web proxy breaks open the initial request from the client and the ssl handshake request to the webserver. This means that the handshake request to and the reply from the webserver is not going to be tunneld. After that, the proxy sends a re-negotiate request to the server in order to initiate a new ssl handshake which should have the affect that all traffic arriving from the client gets tunneld through the proxy.

Unfortunately some webservers like special versions of apache can not deal with a 're-negotiate' request.This leads to a never ending ssl handshake procedure and a connection to the server won't be established.

Configure these affected web sites in the SSL Exceptions Tunnellist configuration entity on the secure web proxy. The first ssl handshake is not broken open but gets tunneld in the first place to the webserver.

Note:
A virus scan is not possible with entries configured in the tunnellist.

Link to This Page:

https://campus.barracuda.com/solution/50160000000IKawAAG