pass through client certificate irule

Can you validate my assumptions about what you're trying to do?

 

 

1. If there are no active members in the default pool, leave client SSL and HTTP profiles enabled and issue a redirect to https://maintenance.sample.com

 

2. If there are active members in the default pool, disable the client SSL and HTTP profiles.

 

3. If the client advertises a client cert, pass the traffic through, otherwise, terminate the SSL on the LTM via a client SSL profile?

 

Hi Chris - thanks for the reply.

 

 

The rule I have listed is the current rule we use - however this just passes through all SSL traffic (providing pool memeber are availabe) which is a bit blunt. The reason we do passthrough in the first place is that we have two forms of authentication for our site - one certificate based and one using logon and password (database rather than LDAP). If we just do offload the client certificates for the certificate logon never get to the IIS servers so this is why we set it up to do passthough.

 

 

What I am after is some pointers on how to change this rule so that it only does passthrough if a client certificate is attached (and pool members are available). Otherwise it just perform SSL offload using the client SSL profile. This way it means we are at least doing some offloading on this site for non-cert users.

Jon, I updated my previous post with some items I was hoping you could validate.

I'm running into an issue with this rule. For us to see whether the client has a cert, we'd need to decrypt the data. So, if we're simply doing pass through, we wouldn't see whether the user had a certificate.

 

 

I'm hoping someone else can think of an option here. I assume we want to use the SSL::cert count command here but as that's not callable from client_accepted, I'm not sure how it can be done. We can certainly decide whether to re-encrypt the traffic on the backend, but a straight pass through might not be possible.

Chris, I think you're right that this wouldn't be simple.

 

 

Jon, if the servers are currently validating the client cert or credentials, why would you need to check for a client cert on LTM?

 

 

I think you either need to do all of the cert validation on LTM with a client SSL profile always enabled, or not try to do it at all on LTM. APM would probably make the cert parsing and validation a lot easier compared with an iRule. But that would require all client SSL be terminated on LTM.

 

 

Aaron

Thanks for the responses.

 

 

APM would sort out many of my issues (I could do all of my certificate OCSP handling on the LTM and pass through my certs in the header) but it is not a cheap option and not an easy one to convince the folk with the purse strings to purchase.

 

 

The reason for asking this question is that we already use the passthrough irule to pass trafiic directly to the servers, however only 20% of the clients actually use the certificate logon option. I was looking to see if there was a way of offloading trafic that is not using client certificates as otherwise this particular site is not really taking full advantage of the LTM.

 

 

Chris - you made a valid point about the fact that we would have to decrypt the traffic before we could actually identify if it had a client cert anyway so I am guessing this would be a little more complex than I first thought. Not to worry I was just wandering if there was a quick fix - it appears not.

 

 

Thanks for your help.

APM VE was just released...not sure whether that means reduced pricing, but thought I'd bring it up. :-P

 

 

http://support.f5.com/content/kb/en-us/products/big-ip_apm/releasenotes/product/relnotes_apm_ve_10_2_1

APM would definately sort the issue but there is no budget for this at the moment. The reason we wish to do this is that there is currenlty a project underway where we are creating a new website which will have multiple services. It is desirable to perform offload on this site to allow compression and other irules to be used.

 

 

Having a think about this a bit more would it be possible to do the following:-

 

 

Offload all SSL traffic with a client profile.

 

Check the now un-encrypted traffic to see if a client certificate is actually attached.

 

If there is a client certificate attached re-encrypt the traffic with a server SSL profile and send through to the servers (with the original client certificate included)

 

If no client certificate attached then pass traffic to pool over http

 

 

Thanks again

 

 

Jon

Posted By jondyke on 02/08/2011 05:41 AM

 

APM would definately sort the issue but there is no budget for this at the moment. The reason we wish to do this is that there is currenlty a project underway where we are creating a new website which will have multiple services. It is desirable to perform offload on this site to allow compression and other irules to be used.

 

 

Having a think about this a bit more would it be possible to do the following:-

 

 

Offload all SSL traffic with a client profile.

 

Check the now un-encrypted traffic to see if a client certificate is actually attached.

 

If there is a client certificate attached re-encrypt the traffic with a server SSL profile and send through to the servers (with the original client certificate included)

 

If no client certificate attached then pass traffic to pool over http

 

 

Thanks again

 

 

Jon

 

I can't think of any reason that wouldn't work. Unless others can think of something?

If there is a client certificate attached re-encrypt the traffic with a server SSL profile and send through to the servers (with the original client certificate included)

 

 

This part isn't possible, as LTM doesn't have the private key for the client certificate. Typically in this scenario, people will use an iRule to insert details for the client cert that was presented on the clientside connection into an HTTP header for the server to parse and validate. This potentially requires changing the web app to parse the HTTP header(s) instead of the actual client cert.

 

 

Aaron