Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Reject connections with no extention keyusage in client certificate

Good morning everyone!

One of our client is asking me to be able to block all connections where the client certificate does not contain the keyusage extention.
I found this link which is already a good help but beeing not an expert for irule, I'm asking your help.

The goal is to reject all connection which doesn't have this in the "X509v3 extensions" in the client certificate :

Code
<CLIENTSSL_CLIENTCERT>:     X509v3 Extended Key Usage: 
<CLIENTSSL_CLIENTCERT>:         TLS Web Client Authentication

Thank you so much in advance!!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Ok, so I've been thinking about this as I had a feeling the command would return a list of all extensions, meaning that it wouldn't match your iRule - resulting in all traffic being dropped.

So create a v3 self signed cert and did some testing:

When you return [X509::extensions [SSL::cert 0]] It returns a list of all extensions - please see log below from the following simple iRule

when CLIENTSSL_CLIENTCERT {
    log local0. "X509::extensions [SSL::cert 0]]"
}

Jan 30 21:14:56 bigip1 info tmm[13575]: Rule /Common/client-ssl-test <CLIENTSSL_CLIENTCERT>: X509v3 extensions: X509v3 Subject Key Identifier: ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC X509v3 Authority Key Identifier: keyid:ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC X509v3 Basic Constraints: CA:TRUE

Given it's returning all of the v3 extensions for the test certificate, we're going to need to use string match to search the returned extensions.

It's also worth noting that the Wiki states that if an invalid certificate is presented it will raise a TCL error which results in a TCP reset. Putting the [X509::extensions [SSL::cert 0]] in a catch can mitigate the TCL error.

Putting it all together it looks something like this, let me know how you get on.

when CLIENT_ACCEPTED {
    set requireX509Ext "TLS Web Client Authentication"
}

when CLIENTSSL_CLIENTCERT {
    if {[catch {set x509Ext [X509::extensions [SSL::cert 0]]} catchErr ]} {
        log local0. "Certificate Error! $catchErr"
        return
    }

    if {!([string match "*$requireX509Ext*" $x509Ext])} {
        log local0. "ERROR: Certificate does not contain the '$requireX509Ext' x509 extension"
        reject
    }
}
0
Comments on this Answer
Comment made 1 month ago by Lee Sutcliffe 2773

Because I spend all day writing iRules I forget there's often an easier way - It's also worth noting that you can allow specific extensions in the client-ssl profile settings (under SSL Forward Proxy Settings in the WebUI) - Your post title suggest 'keyusage' which is an availible option in the profile:

list ltm profile client-ssl clientssl cert-extension-includes
ltm profile client-ssl clientssl {
    cert-extension-includes { basic-constraints subject-alternative-name }
}

create ltm profile client-ssl test defaults-from clientssl cert-extension-includes {
Options:
  }
Values:
  authority-key-identifier       crl-distribution-points        issuer-alternative-name        subject-directory-attributes
  basic-constraints              extended-key-usage             key-usage                      subject-key-identifier
  certificate-policies           fresh-crl                      subject-alternative-name
1
Comment made 1 month ago by ebrc 116

Thank you very much Lee Sutcliffe for the quality of your answer and the time you took to help me. I really appreciate it.
I will test this next ttuesday with my client.

Have a wonderfull day!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Guys,

Simple example from devcentral:

when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Client cert extensions - [X509::extensions $client_cert]"

  foreach item [split [X509::extensions [SSL::cert 0]] \n] {
    log local0. "Extension: $item"
  }
} 

Output:

Client cert extensions - X509v3 Extended Key Usage:          TLS Web Client Authentication

Extension: X509v3 extensions:
Extension:  X509v3 Extended Key Usage:
Extension:  TLS Web Client Authentication

or

Extension: Client cert extensions - (no extensions)

You can test this simple irule:

when CLIENTSSL_CLIENTCERT {

set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"


if { !([X509::extensions $client_cert] contains "TLS Web Client Authentication") } {
    reject
}

}
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As per the documentation in the Wiki you provided, the command X509::extensions returns "(no extensions)" if the certificate doesn't have any extensions.

Most of the information you need to put a very simple iRule together can be found in the example section of the Wiki. In it's simplest form you could use the following:

when CLIENTSSL_CLIENTCERT {
    if {[X509::extensions [SSL::cert 0]] eq "(no extensions)"} {
        reject
    }
} 
0
Comments on this Answer
Comment made 1 month ago by ebrc 116

Thank you very much Lee Sutcliffe!

My goal is not to block all connections which don't have "(no extensions)" but to block when there is not "TLS Web Client Authentication" in the "X509v3 extensions" in the client certificate :

Code
<CLIENTSSL_CLIENTCERT>:     X509v3 Extended Key Usage: 
<CLIENTSSL_CLIENTCERT>:         TLS Web Client Authentication

By taking inspiration from your example, I could to this:

Code
when CLIENTSSL_CLIENTCERT {
if { ![[X509::extensions [SSL::cert 0]] eq "TLS Web Client Authentication"] } {
    reject
    }
} 

What do you think?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi guys!

I tested this morning the irule you both sent me and everything is working perfectly as the client wanted!! :)

I tried to use the options within client ssl profile but I don't have a field where I can specify exactly what I need ("TLS Web Client Authentication" in my case) so I opted for an irule.

Lee Sutcliffe and youssef, Thank you so much for your help!!
I really appreciate :)

0
Comments on this Answer
Comment made 1 month ago by Lee Sutcliffe 2773

Pleased you got it working dude :)

0
Comment made 1 month ago by youssef 3631

Hi it's my pleasure !!!

0