WAF rule to require client TLS auth for non-whitelisted IPs

navv · July 25, 2024, 6:30pm

What is the name of the domain?

mtls.example.org

What is the error number?

Block

What is the error message?

Sorry, you have been blocked

What is the issue you’re encountering

client from non-allowlisted IPs is not prompted to select TLS certificate before getting blocked

What steps have you taken to resolve the issue?

I have this WA rule with block action

(not cf.tls_client_auth.cert_verified and http.host eq "mtls.example.org" and not ip.src in {192.0.2.1 192.0.2.2})

the intent is

if IP is not allowlisted, client TLS cert is required (block if valid client cert not presented)
if IP is allowlisted, client TLS cert not required (server side TLS always)

The problem is client browser don’t always prompt to select a client certificate, especially when client switches from allowlisted IP to non-allowlisted IP. It does seem CF always sends Acceptable client certificate CA names during TLS handshake, but client browsers don’t reliably give user the opprotunity to select a client cert.
Is there a more robust way to make this setup compatible with most clients (Chrome on Windows / Linux / Android)?

Thanks.

What is the current SSL/TLS setting?

Full (strict)

system · August 9, 2024, 6:31pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
mTLS rules not blocking unauthenticated request Security	1	814	September 17, 2023
Mtls client certificate not working, keep ketting "blocked" at the client Security	1	262	May 9, 2024
Client Certificates General	2	60	August 14, 2024
WAF Rule for incoming request Security	2	19	December 13, 2024
mTLS in front of Cloudflare Pages Cloudflare Pages	1	990	November 17, 2023