Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL client Cert reuqest per URL

Hi I have LTM only how I can deploy client certificate request in specific URL if client go to the /example he doesn't need a certificate If he goes to /secure URL in the same VIP the client needs to provide a client certificate I think I need irule when HTTP request did SSL renegotiation with client cert required

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can see a goo example here: https://devcentral.f5.com/wiki/iRules.SSL__renegotiate.ashx

But to be clear, you cannot change the attributes of an existing SSL session (OSI layer 6) based on HTTP information (layer 7). In other words, by the time you can see the HTTP URI, you've already processed the SSL. The above link shows an iRule method to force SSL renegotiation and to prompt for a cert (SSL::cert mode require). You can also more easily do this with "step-up authentication" in APM.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Igor,

first of you have to configure your client cert like that:

Client Authentication:

  • Client Certificate: request
  • Frequency: once
  • retain cert: yes
  • Trust cert: your ca that sign user cert
  • Advert cert: your ca that sign user cert

Then try this irule:

when HTTP_REQUEST {

set cert_provided 0

if {[SSL::cert count] > 0}{
    for {set i 0} {$i < [SSL::cert count]} {incr i}{
        log local0. "uid: $uid - cert number: $i"
        log local0. "Issuer Info: [X509::issuer [SSL::cert $i]]"
        log local0. "cert serial: [X509::serial_number [SSL::cert $i]]"

        set cert_provided 1

        if { [SSL::verify_result] != 0 } {
            log local0. "uid: $uid - Cert Error: [X509::verify_cert_error_string [SSL::verify_result]]"
            set cert_provided 0
        }
    }
} else {
    log local0. "uid: $uid - No client certificate provided"
    set cert_provided 0
}

# uri that need auth
if {!($cert_provided)} {
    switch -glob [string tolower [HTTP::uri]] {
        "/uri1" { reject }
        "/uri2" { reject }
        "/uri3" { reject }
        default {
            # do nothing
        }
    }

}

}
0
Comments on this Answer
Comment made 4 months ago by igorzhuk 69

i can't deploy only when client go to /secure after that SSL renegotiation and request client cert ? because i don't want if client go to /example BIGIP asking for the certificate

0
Comment made 3 months ago by igorzhuk 69

what about the uid verb? i got TLC error

0