Forum Discussion
Hi,
Could you please explain the connection flow ? the issue here is that the "CLIENTSSL_CLIENTCERT" event is triggered only when the client sends a certificate during an SSL handshanke, not when sending the certificate inside an HTTP header with a GET/POST request.
is the client trying to set up an ssl connection with the VS ? or is he simply sending a certificate inside a http request ?
many thanks,
karim
- DecDawkins_3864Apr 03, 2019Nimbostratus
Hi Karim,
We have a cloud proxy sending a two way client cert request to exampleurl.com. Exampleurl.com is protected by F5 Silverline, with it's backend being a BigIP. Silverline cannot provide the client cert auth, so the SOC team have written an irule to encode the cert and pass it to the backend in the header leaving it to our BigIP backend to validate the cert.
Cheers,
Dec
- Karim_Benyello1Apr 03, 2019Cirrus
Ok, if I understand well: your bigip receives a certificate inside an HTTP header and you want to validate it. Your BIGIP doesn't request the client certificate as part of the SSL handshake.
If the above is correct then the event "CLIENTSSL_CLIENTCERT" is never triggered on your bigip. You have to validate the certificate inside the HTTP_REQUEST event. Try the following:
when HTTP_REQUEST { if { [HTTP::header exists "X-Client-Cert-Example"] } { set cert_header [b64decode [HTTP::header "X-Client-Cert-Example"]] set subject_dn [X509::subject $cert_header] log local0. $subject_dn you can add below all the tests you want about the certificate; } }
Many thanks,
Karim