SSL Authentication issues

Question

Our method is to have them purchase a cert from an authority
(although we’re trying to get self-signed certs to work for initial testing),
give us the serial  of that cert and we’ll put it in a Data Group List that
our iRule checks.  So we’ll check for a valid cert and that it matches our
list of serial s.  Below is the iRule as it is now and a screen capture
of the section of the SSL Client profile I was talking about.  
&nbsp;

&nbsp;

Some scratch notes from last night’s testing:

&nbsp;

In Stage Environment:
&nbsp;

if we request client cert, clients with no cert come through
&nbsp;

if we require client cert, passes to iRule and valid clients are
rejected
&nbsp;

&nbsp;

IE8 get through
&nbsp;

Firefox does not get through
&nbsp;

&nbsp;

iRule - ncf-tls-poc.443
&nbsp;

when CLIENTSSL_CLIENTCERT {
&nbsp;

if { [SSL::cert count] == 0 } {
&nbsp;

log local0. "No Client Certificate
Provided - IP:[IP::client_addr]"
&nbsp;

drop 
&nbsp;

}
&nbsp;

else {
&nbsp;

log local0. "Client Certificate Recieved
- IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
&nbsp;

if { [class match [X509::serial_number
[SSL::cert 0]] equals ncf-tls-poc.443-ValidCertificateSNs] } {
&nbsp;

log local0. "Client Accepted -
IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
&nbsp;

}
&nbsp;

else {
&nbsp;

log local0. "Client Rejected -
IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
&nbsp;

reject
&nbsp;

}
&nbsp;

nitass · Answer

it seems to be okay on my firefox. 
  
 [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
   vlans external enable
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve1023:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "ca.crt"
   peer cert mode require
}
[root@ve1023:Active] config  b class ncf-tls-poc.443-ValidCertificateSNs list
class ncf-tls-poc.443-ValidCertificateSNs {
   "01"
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert count] == 0 } {
                log local0. "No Client Certificate Provided - IP:[IP::client_addr]"
                drop
        } else {
                log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
                if { [class match -- [X509::serial_number [SSL::cert 0]] equals ncf-tls-poc.443-ValidCertificateSNs] } {
                        log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
                } else {
                        log local0. "Client Rejected - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
                        reject
                }
        }
}

when HTTP_REQUEST {
        log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::header User-Agent]"
}

when HTTP_RESPONSE {
        log local0. "[IP::client_addr]:[TCP::client_port]|[IP::remote_addr]:[TCP::remote_port]|[HTTP::status]"
}
}

[root@ve1023:Active] config  cat /var/log/ltm
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Certificate Recieved - IP:192.168.204.7 Serial:01
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Accepted - IP:192.168.204.7 Serial:01
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|200.200.200.101:80|200

jim_sellers_473 · Answer

For some reasons clients arent getting dropped when they dont match the datagroup ....

jim_sellers_473 · Answer

For some reasons clients arent getting dropped when they dont match the datagroup .... Thanks for the response :)

Forum Discussion

SSL Authentication issues

3 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

SSL Profiles Part 8: Client Authentication

SSL Orchestrator Advanced Use Cases: Inbound Authentication

Doing mTLS Authentication per URL

SSL Orchestrator Advanced Use Cases: Forward Proxy Authentication