Forum Discussion

Cirrus

Oct 18, 2022

Solved

Client Authentication with certificate on one URI only

Hello, I need your help figuring out how to troubleshoot a new implementation. We have a VIP exhibiting our service. The VIP has its own SSL client profile. Behind this VIP is an IIS which has 5 we...

application delivery

Kevin_Stewart
Oct 27, 2022
Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.

If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).

mihaic

MVP

Oct 19, 2022

I think this problem was already on the forums:

https://community.f5.com/t5/technical-articles/selective-client-cert-authentication/ta-p/275555

when CLIENTSSL_CLIENTCERT {
  HTTP::release
  if { [SSL::cert count] < 1 } {
    reject
  }
}

when HTTP_REQUEST {
  if { [matchclass [HTTP::uri] starts_with $::requires_client_cert] } {
    if { [SSL::cert count] <= 0 } {
      HTTP::collect
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      SSL::renegotiate
    }
  }
}

tub91
Cirrus
Oct 21, 2022
Hi mihaic
Thank you for your answer. However, we would like to avoid using SSL Renegotiation.
Is there any way to do this through the APM?
- Kevin_Stewart
  Employee
  Oct 27, 2022
  Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.
  
  If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).
- iaine
  Nacreous
  Oct 25, 2022
  Do your clients support SNI? If so, you could have two SSL profiles attached to your VIP. The default one would for your 4 websites and the SNI one would be for your site that requires Client Cert auth and so would have this option set to require. The default SSL profile would have Client Cert set to Ignore
  
  You could do this via APM I guess - if the requested HTTP Host equals the 5th site then you could enable APM and insert an On Demand Client Cert object
  
  SNI - https://support.f5.com/csp/article/K13452
  - tub91
    Cirrus
    Oct 25, 2022
    Hi iaine
    Using the "Request" in the Client Authentication section of the SSL Client profile and entering the CA that issued the certificate, we were able to obtain the expected result.
    Obviously we then set up an iRule that verifies and allows access to the single URI on which the authentication with certificate must be.
    I have explained the implemented flow in more detail here. Thank you for your interest
    https://community.f5.com/t5/technical-forum/client-certificate-authentication-clarifications/m-p/303157#M262689

Forum Discussion

Client Authentication with certificate on one URI only

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

BIG-IQ Client Certificate (PKI) Authentication

Thumbprint of the client ssl certificate

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Selective Client Cert Authentication

SSL Orchestrator Advanced Use Cases: Client Certificate Constrained Delegation (C3D) Support