Forum Discussion

Willda71_98408's avatar
Willda71_98408
Icon for Nimbostratus rankNimbostratus
Sep 28, 2011

SSL/NON-SSL

 

 

 

 

Hi there,

 

 

 

i originally posted this in the security group but a member said Id be better off posting it here. He said i could achieve what I wanted (please see below) with an irule butif I have the APM I wouldnt need an irule?

 

 

 

Any help really appreciated.

 

 

 

"First post and I know very little about the F5 big-ip other than we have them. So apologies there

 

 

 

We are looking to implement a solution whereby users must use SSL to access a particular web app if they have the correct client cert. For users who don't have the cert yet we want the solution to automatically revert to use HTTP for this app and continue. We want it to be seamless to the user.

 

 

 

We plan on using the BIG-IP for the SSL termination at the perimeter.

 

 

 

Can the big-ip detect that the users machine doesn't have the cert and redirect to http? Or am I way off course here?

 

 

 

Thanks"

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 28, 2011
    Hi Willda71,

     

     

    Yes. The F5 can detect if the Client has a Client SSL Certificate. This is configured in the Client side SSL Profile (what is applied in the Virtual Server under SSL Profile (Client)).

     

     

    To configure the profile you go to (on v10.x.x): Profiles -> SSL -> Client

     

     

    Select the Client SSL Profile (or create a custom SSL Profile (Recommended)) and scroll down to the "Client Authentication" Area. The help for these options are pretty good so you should not have any problems configuring the base requirements.

     

     

    You will then need to decide what to do with what you get. That is all pretty much handled by an iRule. I would suggest reading up on the iRule event that you will be needing (CLIENTSSL_CLIENTCERT): http://devcentral.f5.com/wiki/iRules.CLIENTSSL_CLIENTCERT.ashx

     

     

    Here is a really good example. This iRule requests a Client SSL Certificate based on the URI:

     

    http://devcentral.f5.com/wiki/iRules.client_cert_request_by_uri_with_ocsp_checking.ashx

     

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 28, 2011
    After doing some additional tinkering, you might want to ignore the SSL Profile and handle everything in an iRule (it is much easier to manage what is happening.

    Here is a beginning example: 

     
when HTTP_REQUEST {
log local0. "Beginning HTTP Request Event."
SSL::cert mode request
if { [SSL::cert count] == 0 } {
log local0. "SSL Certificate Count equals Zero.  Redirecting."
HTTP::redirect "http://www.google.com"
}
}

    You will still need to handle the processing for which SSL Certificates you will consider valid and how you want to validate them, but again, it seems much easier to work with that information in an iRule.

    Hope this helps.
  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account
    Sep 28, 2011
    If the back end server needs to see what client cert was presented, you can throw it in the HTTP header 

     when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert] 
HTTP::header insert ssl.client_cert $certnospace

}
}
  • Willda71_98408's avatar
    Willda71_98408
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2011
    Thanks so much for that...

     

     

    I found out I have mixture of different LTMs (different ones for different locations based on when they where purchased). So basically I have LTM 6400 v9.2.3 and LTM 6900 V10.2.0. Would the older versions need updating?

     

     

    So what you are saying is that I don't need the APM to do this, just create an irule? I assume if I did use the APM (apart from other functionality and benefits an APM provides) would it provide a graphical interface to do this type of stuff.

     

     

    Many thanks for your time.