Xavier_Gillmann
Sep 09, 2005Nimbostratus
(Client) SSL profiles config from iRules
Hi all,
First I have to say that this forum is really great: I found so many indications here... thank you everybody!! I hope this topic will contribute to this rich source of information...
I saw quite a lot of topics about control of SSL connections from iRules... one of which giving instructions to do more or less half of what I need to do: change SSL profile upon specific uri.
when HTTP_REQUEST {
if { [HTTP::uri] eq "/manual/" } {
SSL::cert mode require
log LOCAL0.warn "Requiring certificate and Renegotiate..."
log LOCAL0.warn "Set Authenticate always and depth 9..."
SSL::authenticate always
SSL::authenticate depth 9
SSL::renegotiate
} else {
SSL::cert mode ignore
log LOCAL0. "Other Pages"
}
}
My first question is what about CRL file?
With the console, switching from "require" to "ignore" apparently "cleans up" the "crl file" entry in the clientssl profile (i.e. bigip.conf)... is this also the case when switching from iRules?
If not, how to 'start with' "ignore" as cert mode (i.e. for which I cannot set the CRL from the console) ? Is it enough to directly write in the bigip.conf something like:
profile clientssl xxx {
defaults from clientssl
key "xxx.key"
cert "xxx.crt"
ca file "xxx.crt"
crl file "xxx.crl"
peer cert mode ignore
}
My second question is not a 'pure iRules' one... I have 2 valid CA... As the client SSL profile " Trusted Certificate Authorities" is single-valued, I created one SSL Certificate bundle simply appending the 2 CA into one file. And it seems to work fine...
BUT both CA publish (HTTP) their CRL as (DER) files. So I'm planning to do the same as for certificates: converting DER files to PEM files... and append them into one (which would be the xxx.crl file here above).
I guess I need some OS-level scripting to do (and automate) that... and think about something like
!/bin/bash
wget /config/ssl/ssl.crl/firstCA.crl url_to_crl_file
openssl crl -inform DER -in firstCA.crl -outform PEM -out firstCA_PEM.crl
wget /config/ssl/ssl.crl/secondCA.crl url_to_crl_file
openssl crl -inform DER -in secondCA.crl -outform PEM -out secondCA_PEM.crl
cat firstCA_PEM.crl secondCA_PEM.crl > xxx.crl
openssl crl -in xxx.crl -text -noout
This little script would be scheduled (I don't know yet how!) every day.
The problem is: wget is not installed on my BigIP... neither a c compiler (to build wget binaries!).
I know I could install them... but I feel this would introduce security risks on the BigIP... and I feel it gets a bit dirty going deeper in this direction... So my question is: is there any other (simpler?) mean to do what I'm planning to do???
thanks in advance for the help,
Xavier