SSL Certificate Info put in HTTP Header after Renegotiate

Question

I am trying to create a virtual server that can route traffic to different pools based on the URI, and can require client certificates only for specific URI patterns. 
&nbsp;  
&nbsp; When the client certificates are required, I need to renegotiate the SSL and pass the client certificate subject in an http header to the pool destination.  I need to be able to change the SSL profile to “clientprofile_1IBE_LCMX_cert_required” before the renegotiate so that the browser will present only certificates issued by a certain CA. 
&nbsp;  
&nbsp; I have found numerous examples of pieces of this and have created the scenario below.  It works as far as requiring a client cert only for the URI that begins with /certreq, but I then the request never gets sent to the selected pool. 
&nbsp;  
&nbsp; In looking at my debug statements in the log, it looks like the HTTP_REQUEST_SEND event is not triggered after the SSL::renegotiate is done and the client certificate is sent.  Is there something else that I have to do to release the http request after the SSL::renegotiate. 
&nbsp;  
&nbsp; I am a newbie with irules, so any help would be appreciated.  We are using version 9.4.7. 
&nbsp;  
&nbsp; virtual vs_1IBE_MyApp { 
&nbsp;    snat automap 
&nbsp;    pool pool_1IBE_App1_dev 
&nbsp;    destination 192.168.1.18:20000 
&nbsp;    ip protocol tcp 
&nbsp;    rules irule_1IBE_ssl_renegotiate 
&nbsp;    httpclass 
&nbsp;       http_1IBE_LCMX_App1_a0 
&nbsp;       http_1IBE_LCMX_App2_a0 
&nbsp;    profiles 
&nbsp;       clientprofile_1IBE_LCMX_nocert 
&nbsp;       f5-dev-crypto-server 
&nbsp;       http 
&nbsp;       oneconnect 
&nbsp;       tcp 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; rule irule_1IBE_ssl_renegotiate { 
&nbsp; when CLIENTSSL_CLIENTCERT { 
&nbsp;     log local0. "MyApp SSL verify_result is [SSL::verify_result]" 
&nbsp;     log local0. "MyApp SSL cert count is [SSL::cert count]" 
&nbsp;     set certcnt [SSL::cert count] 
&nbsp;     if { $certcnt &gt; 0} { 
&nbsp;         log local0. "LCMatrix client certificate found.  HTTP::release" 
&nbsp;         set ssl_cert [SSL::cert 0] 
&nbsp;         set ssl_subject [X509::subject $ssl_cert] 
&nbsp;         log local0. "LCMatrix client certificate subject is $ssl_subject for session [SSL::sessionid]" 
&nbsp;         session add ssl [SSL::sessionid] $ssl_subject 1200 
&nbsp;        log local0. "MyApp client certificate found.  HTTP::release" 
&nbsp;        HTTP::release 
&nbsp;     } 
&nbsp; } 
&nbsp; when HTTP_REQUEST { 
&nbsp;      log local0. "MyApp request received for [HTTP::uri]" 
&nbsp;      if { [HTTP::uri] starts_with "/certreq" } { 
&nbsp;         set ssl_subject [session lookup ssl [SSL::sessionid]] 
&nbsp;         log local0. "MyApp client certificate required for: [HTTP::uri]" 
&nbsp;         if { $ssl_subject equals "" } { 
&nbsp;             log local0. "MyApp client certificate not found. Holding HTTP request until a client cert is presented..." 
&nbsp;             HTTP::collect 
&nbsp;             SSL::authenticate always 
&nbsp;             SSL::authenticate depth 9 
&nbsp;             SSL::cert mode require 
&nbsp;             SSL::renegotiate 
&nbsp;             set ssl_subject [session lookup ssl [SSL::sessionid]]    
&nbsp;          } 
&nbsp;          session add ssl [SSL::sessionid] $ssl_subject 1200 
&nbsp;      } 
&nbsp; } 
&nbsp; when HTTP_REQUEST_SEND { 
&nbsp;     clientside { 
&nbsp;         if { [HTTP::uri] starts_with "/plintl00" } { 
&nbsp;             pool pool_1IBE_LCMX_App2_a0 
&nbsp;             HTTP::header insert "X-SSL-Client-Cert-Subject"[X509::subject [SSL::cert 0]] 
&nbsp;             log local0. "MyApp subject header inserted [X509::subject [SSL::cert 0]]" 
&nbsp;         } 
&nbsp;         log local0. "MyApp request sent for [HTTP::uri]" 
&nbsp;     } 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; profile clientssl clientprofile_1IBE_LCMX_cert_required { 
&nbsp;    defaults from clientssl 
&nbsp;    key "keyf5cloudtest.key" 
&nbsp;    cert "cerf5cloudtest.crt" 
&nbsp;    client cert ca "ca-CommercialRSA.crt" 
&nbsp;    peer cert mode ignore 
&nbsp; } 
&nbsp; profile clientssl clientprofile_1IBE_LCMX_nocert { 
&nbsp;    defaults from clientssl 
&nbsp;    key "default.key" 
&nbsp;    cert "default.crt" 
&nbsp; } 
&nbsp; profile serverssl f5-dev-crypto-server { 
&nbsp;    defaults from serverssl 
&nbsp;    key "datapower_cert.key" 
&nbsp;    cert "datapower_cert.crt" 
&nbsp;    chain none 
&nbsp;    ca file none 
&nbsp;    ciphers "DEFAULT" 
&nbsp;    passphrase "abcdefghij" 
&nbsp;    options  
&nbsp;       dont insert empty fragments 
&nbsp;    modssl methods disable 
&nbsp;    renegotiate period indefinite 
&nbsp;    renegotiate size indefinite 
&nbsp;    unclean shutdown enable 
&nbsp;    strict resume disable 
&nbsp;    handshake timeout 60 
&nbsp;    alert timeout 60 
&nbsp;    cache size 20K 
&nbsp;    cache timeout 3600 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; profile httpclass http_1IBE_LCMX_App1_a0 { 
&nbsp;    defaults from httpclass 
&nbsp;    pool pool_1IBE_LCMX_App1_a0 
&nbsp;    redirect none 
&nbsp;    url rewrite none 
&nbsp;    asm disable 
&nbsp;    paths "/App1*" 
&nbsp; } 
&nbsp; profile httpclass http_1IBE_LCMX_App2_a0 { 
&nbsp;    defaults from httpclass 
&nbsp;    pool pool_1IBE_LCMX_App2_a0 
&nbsp;    redirect none 
&nbsp;    asm disable 
&nbsp;    paths "/App2*" 
&nbsp; } 
&nbsp;  
&nbsp; pool pool_1IBE_LCMX_App1_a0 { 
&nbsp;    monitor all https 
&nbsp;    members 192.168.1.18:10000 
&nbsp; } 
&nbsp; pool pool_1IBE_LCMX_App2_a0 { 
&nbsp;    monitor all https 
&nbsp;    members 192.168.1.18:20000 
&nbsp; } 
&nbsp;

clayton_63491 · Answer

I noticed that after the SSL::renegotiate, the CLIENTSSL_CLIENTCERT event is triggered. The HTTP::release in the CLIENTSSL_CLIENTCERT event does not cause the HTTP_REQUEST_SEND event to be triggered.  So the HTTP request is never sent to the pool.  Is there any known problems in 9.4.7 that would prevent the HTTP::release from releasing the HTTP payload?

spark_86682 · Answer

That looks like it should work, but there's a lot going on and I didn't look in-depth. Can you add a line that logs in HTTP_REQUEST_DATA, just to see if that event fires after the HTTP::release?

hooleylist · Answer

Did you ever figure this out?  Was it a post request?  I wonder if you removed the HTTP classes whether it would affect the issue. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Actually, was the pool down, by chance?  I saw HTTP_REQUEST_DATA not trigger in a test for a related iRule (Click here) when the pool was down. 
&nbsp;  
&nbsp; On the other hand, TMM was crashing for me on 9.4.7 when I tested with a client presenting a valid cert. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SSL Certificate Info put in HTTP Header after Renegotiate

4 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

SSL Profiles Part 6: SSL Renegotiation

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

Re: Management Certificate

Re: SSL Renegotiation DOS attack – an iRule Countermeasure

Automate Let's Encrypt Certificates on BIG-IP