Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Looking for an Irule to enforce ssl client authentication and then pass ssl certificate details to the backend server

Hi I used the below irlue: when CLIENTSSL_CLIENTCERT { log local0. "start CLIENTSSL_CLIENTCERT" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] log local0. "end CLIENTSSL_CLIENTCERT" }

when HTTP_REQUEST { log local0. "start HTTP_REQUEST, uri is [HTTP::uri]" if { [HTTP::uri] eq "/server.htm" } { log local0. "/server.htm detected!" if { [SSL::cert count] == 0} { log local0. "no certificate found... force SSL" SSL::cert mode require SSL::renegotiate log local0. "end HTTP_REQUEST" } } else { log local0. "certificate found!" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] HTTP::header insert CLIENTSSL_Status [SSL::verify_result] HTTP::header insert CLIENTSSL_StatusString [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert CLIENTSSL_CN $pkiSubject HTTP::header insert CLIENTSSL_SSLIssuer $pkiIssuer HTTP::header insert CLIENTSSL_SSLClientCertSN [X509::serial_number $the_cert] HTTP::header insert CLIENTSSL_Cert [b64encode $the_cert] } }

I get request to provide certificate while requsting server.htm, but the header are not inserted on the get request forwarded to the server. I run tcpdump and get the below: ..P.......GET /server.htm HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US,he-IL;q=0.7,he;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 192.168.3.100 If-Modified-Since: Tue, 28 Oct 2014 21:19:37 GMT If-None-Match: "120851-14-50682345b18a4" Connection: Keep-Alive

I'm using LTM 11.4

how can I resolve the problem?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Comments on this Answer
Comment made 13-Nov-2014 by Michael 76
Thank you The above Irule with some modifications provided me the results I wanted to get.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do you see any log entries such as /server.htm detected etc?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I suspect you need to move some of your logic to the CLIENTSSL_CLIENTCERT event.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Apologies, we've gone from no spam filters to rather over the top ones here on DC it seems, so had to split it up.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Michael,

If you want to do Client Certificate Authentiation 'always' for a virtual server, you can modify the client-ssl profile you're using to achieve as much. The setting is called 'Client Certificate' and should be set to 'require'.

Make sure to also upload the chain for valid certificates and select it in the 'Trusted Certificate Authorities' and 'Advertised Certificate Authorities' picklists.

This way, you can simply use the following iRule to achieve your goal:

when HTTP_REQUEST {
    HTTP::header insert "SSL_CLIENT_CERT" [X509::whole [SSL::cert 0]]
}

This differs from your iRule in that it doesn't use the iRule to renegotiate the connection to make sure the client sends a certificate. If, however, you want to only request/require a client certificate for specific URLs, you're going to need something down the lines of your iRule , or you're going to need the APM module with the 'OnDemand Certificate Auth' buildingblock.

Kind regards,

Thomas

0