Cirrus
Server authentication -> server certificate (require/ignore). Am I in the right place?
Cirrostratus
You can configure a clientssl profile to request or require a client cert. A server ssl profile's client cert configuration is used to authenticate all serverside connections to the pool. This is independent of the clientside connection.
If the client cert validation from the clientssl profile fails the client connection will be reset. You can use an iRule to expand the error handling and send an HTTP response when the client cert validation fails. You can do more through a GUI using the APM module.
Let me know if you have any questions on any of these points.
Thanks, Aaron
Nimbostratus
I am also in need of SSL client authentication. I have read SOL10167 and still have a few questions before I attempt to implement this. My goal is to "require" client authentication and have the BIG-IP drop the request if the certificate that the client sends does not match that of one that I specify on the BIG-IP. After reading this article, it appears that you can only restrict per CA, not per certificate? I need to specify this "trusted CA" in the "Trusted Certificate Authorities" option box under the SSL profile. Once I select a CA bundle in this option box, and then enable "Require" under Client Authentication, if the client sends a request from a CA not included in "Trusted Certificate Authorities," the BIG-IP will reject the request? There is no way to enforce client authentication purely on a specific SSL certificate (rather than a SSL certificate coming from a particular CA)?
Thanks!
Josh
Nimbostratus
Employee
have u seen this one? is it what u r looking for?
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html
Nimbostratus
Nimbostratus
I am trying to accomplish the same thing have you had any luck with just the client authentication "require" with just CA? Please share. Thx!
Nimbostratus
The server certificate is emitted by Verising and the client certificate is selfsign. In fact, I loaded the CA certificate from my client to be a trusted CA.
I tested to open the web page without a client certificate require and works fine.
Any recommendations?....
Nimbostratus
If you are looking to do something more advanced you can use an iRule in conjunction with the Client Authentication.
For example: I configured a Virtual Server to Require Client Authentication in the SSL Profile and that works in conjunction with this iRule that checks the Hex value of the SSL Certificate serial number in a list of "Valid / Authorized" Certificates. If the SSL Certificate is in the list then you are passed through, if not....you are rejected.
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Certificate Provided"
drop
}
else {
log local0. "Certificate 1: [X509::serial_number [SSL::cert 0]]"
log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
}
else {
log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}
I am sure that there are other examples in the iRules forum. I would suggest searching on the "CLIENTSSL_CLIENTCERT" Event.
Nimbostratus
In the line " if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] }"
where is the "ValidCertificates" allocated??.
Regards.
Cirrostratus
Aaron