Quantcast



Docs

Blogs

Forums

Samples

Media

Labs

Resources
 




DevCentral > Weblogs > Joe Pruitt - A Software Architect's take on Network Security
 iRule: passing client cert to node
posted on Wednesday, July 27, 2005 9:48 AM

In this case, the BIG-IP is terminating SSL connections but the backend web server needs the information from the certificate but doesn't want the BIG-IP to re-encrypt the traffic to the node.

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert at the backend IIS web server via ASP/ASP.NET code.

No problem. With iRules you have full access to the client certificate and it's fairly simple to base64 encode the entire client certificate in a HTTP header and pass it to the backend webserver. Here's what wthem finally came up with with some guidance from the DevCentral team. 

when CLIENTSSL_HANDSHAKE
{
  set cur [SSL::sessionid]
  set ask [session lookup ssl $cur] 
  if { $ask eq "" } { 
    session add ssl [SSL::sessionid] [SSL::cert 0]
  }
}

when HTTP_REQUEST
{
  set id [SSL::sessionid]
  set the_cert [session lookup ssl $id]
  if { $the_cert != ""}
  {
    HTTP::header replace SSLClientCert [b64encode $the_cert]
  }
}

Search Google for Base64 and VB and you should find a implementation of the decoding method (or check the forum thread below...

Click here for the original thread.

-Joe

[Listening to: Ants Marching - Dave Matthews Band - Central Park Concert (2 of 3) (05:51)]

Categories:  

Email This
  del.icio.us
      

Feedback

3/19/2008 1:57 PM
Gravatar Will this iRule work for BigIP version 4.5?
Brett
3/19/2008 2:01 PM
Gravatar There are some things you can do with the client side request on 4.x but I don't believe that you have access to the actual certificate to add as a new http header. You might check in the 4.x admin guide to find which iRule commands are available but I'm thinking there isn't a one to one mapping.

-Joe
Joe Pruitt
3/20/2008 6:32 AM
Gravatar Thanks for your reply, I was hoping for better news. However do you have a link to the admin doc you mention above.
Brett
3/20/2008 11:51 AM
Gravatar Sure thing, Head over to Ask.f5.com, login, click on Supported Products, select "BIG-IP 4.x" and select the "BIG-IP Reference Guide" and search for the iRules section.

Here's the direct link to the iRules syntax section:

[quote]https://support.f5.com/kb/en-us/products/big-ip_4_x/manuals/product/bigip4_6_2ref/BIGip_rules.html#1204781
[url]https://support.f5.com/kb/en-us/products/big-ip_4_x/manuals/product/bigip4_6_2ref/BIGip_rules.html#1204781[/url][/quote]

-Joe
Joe Pruitt
3/20/2008 11:52 AM
Gravatar Sure thing, Head over to Ask.f5.com, login, click on Supported Products, select "BIG-IP 4.x" and select the "BIG-IP Reference Guide" and search for the iRules section.

Here's the direct link to the iRules syntax section:

https://support.f5.com/kb/en-us/products/big-ip_4_x/manuals/product/bigip4_6_2ref/BIGip_rules.html#1204781

-Joe
Joe Pruitt
 Leave Feedback
Title  
Name  
Email
Url
Comments   
Please add 5 and 4 and type the answer here:

Copyright 1996 - 2008 F5 Networks, Inc. | Privacy Statement | Terms Of Use