Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Client Certificate Authentication - QR Codes - Client Request

Hello,

I'm a little bit stumped on this one - I have Client Based Certificate Authentication to a VIP and I'm requesting the check via an iRule.

The iRule works perfectly fine in a browser. The way most browsers work is I'm able to select the certificate that I want to choose before moving onto and getting forwarded onto the VIP. This is a crappy way in my opinion as to how Client Based Certification should work, I think it should all be passive, browser does a scan of Certs and then passes you onto the VIP if you have the proper Certificate Creds. Maybe their is a way to do a passive check, I just don't know, please provide any input.

I think in point this is part of my problem. I have a mobile device with a QR Code. When I scan the QR Code the mobile device does not prompt for a certificate. I don't get a failure of Forbidden on the page post QR Code Scan and I can't determine where my failure is at.

I only get this error while using a mobile device, in a regular device with a browser everything works.

" - Error using (line 23)"

Line 23 in the irule editor is in fact blank.

Any ideas on either getting this to Passively check an end user clients cert? or has anyone done QR code Scans with Client Certificate Auth before? Anyone see any issues with the iRule?

Thanks,

when RULE_INIT {
        set static::debug 1
        set subject_dn ""
}

when CLIENTSSL_CLIENTCERT {
        set subject_dn [X509::subject [SSL::cert 0]]
        if { $subject_dn != "" }{
                if { $static::debug }{ log local0. "Client Certificate received: $subject_dn"}
        }
}

when CLIENTSSL_HANDSHAKE {
    if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0}
}

when HTTP_REQUEST {

    STREAM::disable

    set RequestedURI [string tolower [HTTP::uri]]

        if {[info exists subject_dn]} {

            switch -glob [string tolower [HTTP::uri]] {

                      "/examplesite*" {
                            if { $subject_dn contains "CN=examplesite1" } {
                                  pool EXMAMPLE_POOL1
                                  log local0. "Source [IP::client_addr] has been Subject Certificate Selection  [HTTP::uri]"
                            } else {
                                  reject
                                   log local0. "Source [IP::client_addr] has been rejected:$subject_dn [HTTP::uri]"  
                            }
                        }
                        default {
                                if { $subject_dn contains "CN=examplesite2" } {     
                                      pool EXAMPLE_POOL2
                                        log local0. "Source [IP::client_addr] has been accepted [HTTP::uri]"
                                 } else {
                                      reject
                                       log local0. "Source [IP::client_addr] has been rejected:$subject_dn [HTTP::uri]"  
                                 }   
                            }
            }
        } else {
            HTTP::respond 403 content "Access Denied - Incorect Certificate" "Content-Type" "text/html" "Connection" "Close"
        }
}       



}
0
Rate this Question
Comments on this Question
Comment made 1 month ago by DenverRB 72

I was able to stand up some more debugging, but not sure what this would identify the problem to be -

<CLIENTSSL_CLIENTCERT> - Error using <Certificate> (line 1)     invoked from within "X509::subject [SSL::cert 0]"
0
Comment made 1 month ago by Niels van Sluis 2727

It seems that the client didn't provided a certificate. You could add an extra check to your iRule:

# Check if client provided a cert
if {[SSL::cert 0] eq ""}{
    log local0. "Source [IP::client_addr] didn't provide a certificate; rejected client"
    # Reset the connection
    reject
}
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Can you check the following setting in the SSL Client profile under Client Authentication: Advertised Certificate Authorities

Help says:

Specifies that the CAs that the system advertises to clients is being trusted by the profile. The default is None.

This should trigger the browser to automatically send the right certificate.

0