Ip Restrict then client cert check

Here I found this:

http://devcentral.f5.com/Wiki/default.aspx/iRules/ClientCertificateCNChecking.html

In part 3 I have made this but I don't know if it will work so my irule would look like this:

when RULE_INIT { 
         set ::debug 1 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
         Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith 
         set subject_dn [X509::subject [SSL::cert 0]] 
         if { $subject_dn != "" }{ 
                 if { $debug }{ log "Client Certificate received: $subject_dn"} 
         } 
 } 
  when HTTP_REQUEST {     
   if {[matchclass [IP::client_addr] equals $::IPdatagroup]{ 
     } elseif {($subject_dn contains "CN=Company A") } { 
     }  
     } elseif {    HTTP::respond 403 content "403 - Forbidden"        }  } 
  
 } 
 

Would this work?

So this is what I did and it seems not to work...both profiles work but not the Irule.

 

 

when CLIENT_ACCEPTED {  
    if { [matchclass [IP::client_addr] equals $::Test_IPs]} {  
      SSL::profile NoBrowserCert  
    } else {  
      SSL::profile BrowserCert  
    }  
  }  
    
  when HTTP_REQUEST {  
    SSL::renegotiate  
  }

 

 

I got this from http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__profile.html

 

 

*edit...Fix the code too many brackets. But I have another issue..It continues to use my noBrowserCert when I try and switch.

Can you remove the HTTP_REQUEST event and retest? Also, you only need one set of square braces around matchclass. It shouldn't matter which client SSL profile you specify in the VIP config as the iRule will set it based on the client IP address check.

 
 when CLIENT_ACCEPTED {  
    if { [matchclass [IP::client_addr] equals $::Test_IPs]} {  
      SSL::profile NoBrowserCert  
    } else {  
      SSL::profile BrowserCert  
    }  
  }  
 

If this doesn't work, can you clarify what happens when testing from a client in the Test_IPs class and one not in the class?

Thanks,

Aaron

So if I am not in the Test_ip class it will ask for a cert but then will continue to pass me if I don't have one and if I am in the class then it will just pass me through without asking for a cert. I need it to block me if I don't have a browser cert and am not in the Test_ip class.

 

 

the BrowserCert class has request client authentication->Client Certificate for the profile because the require doesn't work for me when just testing out the BrowserCert SSL profile.

 

 

*edit - I also removed the http_request.

If you want to use this simple iRule and two client SSL profiles, you'll need to set one profile to require a client cert in order to prevent a client without a client cert from accessing the pool. I'd suggest testing the client cert profile further without the iRule. Once you get that working, then you can test the iRule and both profiles.

 

 

If you'd like help testing the client cert profile issue, can you post an anonymized copy of the clientssl profile using 'b profile clientssl PROFILE_NAME list'?

 

 

Thanks,

 

Aaron

I opened a ticket with F5 about the SSL profile and they said that they need to switch the client authorization from require to request and that made it work. They said this Try changing the "peer cert mode require" to "peer cert mode request"

The require option (I have been told) does not function correctly and will break client auth in a lot of circumstances.

The request mode still requires the client to auth.

But here is the output of the command

b profile clientssl BrowserCert list

 
 profile clientssl BrowserCert { 
    defaults from clientssl 
    key "Encrypt-Cert.key" 
    cert "Encrypt-Cert.crt" 
    ca file "Encrypt-CA.crt" 
    peer cert mode require 
    authenticate once 
 } 
 

b profile clientssl NoBrowserCert list

 
 profile clientssl NoBrowserCert { 
    defaults from clientssl 
    key "Encrypt-Cert.key" 
    cert "Encrypt-Cert.crt" 
    chain "Encrypt-CA.crt" 
 } 
 

b profile clientssl clientssl list

 
 profile clientssl clientssl { 
    mode enable 
    key "default.key" 
    cert "default.crt" 
    chain none 
    ca file none 
    crl file none 
    client cert ca none 
    ciphers "DEFAULT" 
    modssl methods disable 
    cache size 20000 
    cache timeout 3600 
    renegotiate period indefinite 
    renegotiate size indefinite 
    renegotiate max record delay 10 
    handshake timeout 60 
    alert timeout 60 
    peer cert mode ignore 
    authenticate once 
    authenticate depth 9 
    unclean shutdown enable 
    strict resume disable 
 } 
 

Setting the client cert mode to request is only useful if the iRule or the web application validates the client cert. If you want LTM to do this using the client SSL profile it must be set to require. If you have a case open with F5 Support, you could ask them to help you capture a tcpdump and use ssldump to troubleshoot the failure. You might also be able to get some relevant info from the /var/log/ltm log file (somewhat doubtful on this though).

 

 

If that turns into a dead end, you could use a more complicated iRule which dynamically requests and validates a client cert based on the client IP address.

 

 

Aaron