client certificate authentication for a particular directory

Question

Hi 
&nbsp;  
&nbsp; I need to use client certificate authentication for a particular directory, for example: 
&nbsp;  
&nbsp; on 
&nbsp;  
&nbsp; https://demo.com (no authentication needed) 
&nbsp; https://demo.com/auth (we requiere to ask for client certificate with oscp verification) 
&nbsp;  
&nbsp; I could configure it for entire URL but not for particular directory. 
&nbsp;  
&nbsp; Is there any way to do that? 
&nbsp;  
&nbsp; Thanks you

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; There are a few examples of this in the iRules forum and one in the Codeshare.  You might need to tweak the rule based on which LTM version you are running.  I should have an updated example to post in the next few weeks as well. 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/Make_BigIP_request_a_client_certificate_and_pass_it_to_application_code.html 
&nbsp;  
&nbsp; Aaron

psor_73734 · Answer

Aaron, 
&nbsp;  
&nbsp; I'm using LTM 9.44, I need to use ocsp verification, so for a particular directory (example.com/auth), but I dont know how to restrict this behavior (on ssl_profile) to a particular directory. I tried to use irule like this: 
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp;  
&nbsp; when CLIENTSSL_HANDSHAKE { 
&nbsp;     if { [SSL::cert count] &gt; 0 } { 
&nbsp;       HTTP::release     
&nbsp; }   
&nbsp; }   
&nbsp; when HTTP_REQUEST { 
&nbsp;     if {not ([HTTP::uri] starts_with "/abc/") } 
&nbsp;  {      if {[SSL::cert count] == 0} { 
&nbsp;         HTTP::collect 
&nbsp;         SSL::authenticate always 
&nbsp;         SSL::authenticate depth 9 
&nbsp;         SSL::cert mode require 
&nbsp;         SSL::renegotiate 
&nbsp;       }  
&nbsp;    }  
&nbsp;  }  
&nbsp;  
&nbsp; But it dosen't work fine and it dosen't have the logic for ocsp verification. 
&nbsp;  
&nbsp; Thanks you 
&nbsp;  &nbsp;

hooleylist · Answer

It would be good to upgrade to the latest 9.4.x version, 9.4.7 as there have been a number of important fixes since 9.4.4.  For OCSP validation of the client cert, there is a default OCSP verification iRule provided.  You can reference that for ideas to start with.  Once I have a working version I can post that as well.   
&nbsp;  
&nbsp; You may also want to change the cert mode from require to request so you can gracefully handle client requests which don't include a cert. 
&nbsp;  
&nbsp; Aaron

psor_73734 · Answer

I understand what you mean, but If I use request mode, clients will always be prompted to present a client certificate for entire site.. that's not what I want. 
&nbsp;  
&nbsp; Thanks you

hooleylist · Answer

You'll need to set the client SSL profile to ignore client certs.  In the iRule, after examining the requested URI and finding a request to a restricted URI, you'll want to renegotiate the SSL handshake with the client and dynamically set the client SSL filter to request a client cert.  You can do this using: 
&nbsp;  
&nbsp; HTTP::collect 
&nbsp; SSL::session invalidate 
&nbsp; SSL::authenticate always 
&nbsp; SSL::authenticate depth 9 
&nbsp; SSL::cert mode request 
&nbsp; SSL::renegotiate  
&nbsp;  
&nbsp; Make sure to include 'SSL::session invalidate' to force browsers to renegotiate a new SSL session ID.  Not all versions of IE will do this otherwise. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

client certificate authentication for a particular directory

6 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

APM Clientless certificate authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

BIG-IQ Client Certificate (PKI) Authentication

Doing mTLS Authentication per URL

Automating ACMEv2 Certificate Management on BIG-IP