Forum Discussion

alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus
Jul 10, 2019
Solved

Extract SAN from Client SSL Certificate & Insert into HTTP Header

Hi folks, I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requir...
application delivery
iRules
LTM
ltm policy
security
  • Eric_Chen's avatar
    Eric_Chen
    Aug 28, 2019

    When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.

    when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    set tmpcn [X509::subject [SSL::cert 0]]
    set cn [findstr $tmpcn "CN=" 3]
    HTTP::header replace X-Client-Certificate-SAN $cn
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}

    My test results.

     curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}

    Here's what my config looks like.

    ltm virtual test_vs {
    creation-time 2019-08-27:10:03:53
    destination 192.168.1.200:pcsync-https
    ip-protocol tcp
    last-modified-time 2019-08-27:10:20:58
    mask 255.255.255.255
    pool slack_pool
    profiles {
        http { }
        mtls_clientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        slack2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 3
}
 
ltm profile client-ssl mtls_clientssl {
    app-service none
    authenticate-depth 0
    ca-file f5ca
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    peer-cert-mode require
}
 
ltm rule slack2 {
when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    # extract SAN
    set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
    # remove DNS: prefix
    set san [findstr $santemp "DNS" 4]
    # insert X-Client-Certificate-SAN header
    HTTP::header replace X-Client-Certificate-SAN $san
 
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}
}
alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus

Hi Eric,

 

Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:

 

platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature

 

...do have any suggestions on how to remove the extra info in the value?

 

 

Thanks!

Eric_Chen's avatar
Eric_Chen
Icon for Employee rankEmployee
Aug 28, 2019

When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.

when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    set tmpcn [X509::subject [SSL::cert 0]]
    set cn [findstr $tmpcn "CN=" 3]
    HTTP::header replace X-Client-Certificate-SAN $cn
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}

My test results.

 curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}

Here's what my config looks like.

ltm virtual test_vs {
    creation-time 2019-08-27:10:03:53
    destination 192.168.1.200:pcsync-https
    ip-protocol tcp
    last-modified-time 2019-08-27:10:20:58
    mask 255.255.255.255
    pool slack_pool
    profiles {
        http { }
        mtls_clientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        slack2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 3
}
 
ltm profile client-ssl mtls_clientssl {
    app-service none
    authenticate-depth 0
    ca-file f5ca
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    peer-cert-mode require
}
 
ltm rule slack2 {
when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    # extract SAN
    set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
    # remove DNS: prefix
    set san [findstr $santemp "DNS" 4]
    # insert X-Client-Certificate-SAN header
    HTTP::header replace X-Client-Certificate-SAN $san
 
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}
}