NimbostratusI have a scenario where actual ssl client certficate is already inserted inside the HTTP header. How can I make the F5 to look inside the HTTPheader for actual ssl client certificate?
NimbostratusHello,
According to SSL standard, client has to be present the authentication certificate during the SSL handshake. Your request would only be doable with an iRule solution. Even then, you will allow all clients to complete the SSL handshake, and decide to drop some of them who do not present the required HTTP header with a correct value. Essentially, you're building a L7 whitelist solution where client access rights are determined by the value of a HTTP header.
To help you get started: The function to return the value of a particular HTTP header is
[HTTP::header value {MyHeader}]when HTTP_REQUEST {
log local0. "The value of HTTP header MyHeader is <[HTTP::header value {MyHeader}]>"
Results are logged to /var/log/ltm. If the value is blank, the header was not found in client request.
}
Once you are at a point where you can see the actual certificates being logged to /var/log/ltm as the value of a HTTP header, I can help with the next step which is building a whitelist component of the iRule.
NimbostratusHello Hannes Rapp,
Thanks for your answer. I am able to see the certificate in header. how to take this certificate out from the header and decrypt it. How can I proceed further using it like a normal SSL::cert 0, etc..Please suggest.
Nimbostratus