Forum Discussion

arjen_kuindersm's avatar
arjen_kuindersm
Icon for Nimbostratus rankNimbostratus
May 26, 2014

Passing client SSL certificate to server / f5 LTM 11.5

Hi,

I'm trying to pass the SSL client certificate to the backend server:

Traffic should flow like: Client --> (SSL) --> f5 --> (SSL) --> windows 2012 server.

From the forums it should be very easy, since the 11.x stores the client certificates in the session:

when HTTP_REQUEST {
    if { [SSL::cert count] > 0 } {
        HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]]
    }
}

The BIG-IP inserts the client certificate in the headers, however, when I read back the header only a part of the certificate is present in the header. I can only see "-----BEGIN CERTIFICATE-----" with 21 correct lines of the Original pem certificate. The last 4 lines including "-----END CERTIFICATE-----" are missing.

Im using the following lines to get the header values:

 foreach aHeader [HTTP::header names]
 {
    log local0. "$aHeader: [HTTP::header value $aHeader]"
 }

Please help! Could this be a bug, who has client cerficate passthrough working on 11.5+?

application delivery
deployment
devops
iRules
LTM
security

3 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 26, 2014

    it seems okay here.

    by the way, since you want to pass client certificate to server, why don't you use proxy ssl instead?

    sol13385: Overview of the Proxy SSL feature

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

    e.g.

     version

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.5.1
  Build    0.0.110
  Edition  Final
  Date     Wed Mar 12 15:44:53 PDT 2014

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 32
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [SSL::cert count] > 0 } {
    HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]]
  }
}
}

 test

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 200.200.200.14(36589) <-> 200.200.200.101(80)
1401091886.4554 (0.0216)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
X-ENV-SSL_CLIENT_CERTIFICATE: -----BEGIN CERTIFICATE-----
 MIIFrTCCA5WgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL
 MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW
 BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xMzA4MzAxNDAyMzlaFw0xNDA4MzAx
 NDAyMzlaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2Vh
 dHRsZTENMAsGA1UEChMEQWNtZTENMAsGA1UECxMEU2FsZTEWMBQGA1UEAxMNam9o
 bi5hY21lLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnrK4pG
 ryK/klOnBiL6qy0/9nreOpjGKsd6hGOh0GKFUOqqSX0QTpZTX7fYMQldbvOwBYwU
 iPfSi3V/XVX6zhTm407KgzyGq4iyI9FgZeDm8B6DWn7lTaAnqYvgy+LySc/Lq+jH
 p5dfvcP1YG9Sj1mwFTDH/wNr8sLTx11ISFAvFTk7edqE8jBPDYXqXFUaJ+GzMTsd
 pyR7r7iM3FwYDBA7fCSu8L7FB4bN1ZU0R/Tp4uN8vt2w3ubi1qbJ1gWlEbLBm9dg
 cg+uvTsebPExHFokxqqdrsmQYrW4YPG1YaD2NaC46v23xHPNXqmR6OeTHkohO5Ve
 wkSWQO6G2H04j3p6O1lezcq8IOxJVo7E8cK+UfwU3hepRiq/i88KsOPLk+mzXNjw
 qU3gG2IX7DI9faVVuN1fe2Act0Ag3ao3FmDnDXyPQsqcgAD5fvy113KihtlcpH5M
 mACXqcioxqVGwBFevKHxipPmjQB6C9XCGqDIF/f10ThXu5DtvIPvDGaKa0jqq9Ip
 x7uDqNVknKUQuyUH7T85vrG05H9c6Qmaxiwq1M0L/YUKQt6MoU6S3BWM75Tbmi3w
 z/n8kTTGozO35lPfoMPLoHaj4Z0a7/0bYA3DMS33zMtXBy3VF3TjcxMgnAKg4sDq
 FmJd6M+gK7ghjt7FjzNixGSDC2P4b5x/BSTjAgMBAAGjezB5MAkGA1UdEwQCMAAw
 LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
 A1UdDgQWBBTXvtvLZ4qH+c06S4fwluvs46sjVDAfBgNVHSMEGDAWgBSCOznFhO68
 X2r1WREpmuBuEabGcTANBgkqhkiG9w0BAQUFAAOCAgEAGEp0eT3sYEL5xAPPRuwV
 jPvPLKjssZxCDbubCM8lQSNiOw6bwEvvZ7NFGhO/lcrUU7+PxEKYs9g2KuwJBMsF
 0dm5yF9lw+pvBKSGWwrFsQzGrWzZhICb5evYon1jxIVqbdHFI+eAo3S3XnEUS9gh
 oJOz7+LvmzLtTdv7pR0pw7ne2m0zsYQGdBz0HCwEO1wVlNXsbCo/1Tpo0ANOXlfL
 fQJGLfJQzXVyd2/CRCQ/opIBYeOBBfjcFJofe7AC2QunlERaZF+qz5yiRC2tzdTE
 /P8nqdhT3a0bWfm59AmtWGfM2yZnQJJgY4SpaWfseSq8YQ56Dqq3ZQJxJQUzwh3b
 ChfM1T4Ye4rqyIFalS/xDGbqGBm30LfGZQly7FqXM4B6hCO9fbMoe4lfWu8kVVkE
 1R7yQwqVDOlCOHV4+GQCFKYV9QN//RW7IKTV1PjHKozW0P1VfSM+C5Utw+kxBCWI
 cQIJLIjKBNCCZxwkzIgQ4727LZN3s0bM6GGWVaXTKqkwu6N6It32BmgvS+831dYE
 Un/lnsfTnjalKaLGKnKiDCRF5SCfN2/K5MQrb9w7vWihBP5+6D8di9ovgqxQdshm
 LXTL8GG1dL0Wb0rkCn4hfVVCK8yKqg//OZe1UV6jKEz3Mx+jOSC9dh6SJ+XhuM/2
 pMa6PwcOHthiG9nRGqrFbYU=
 -----END CERTIFICATE-----


---------------------------------------------------------------
  • arjen_kuindersm's avatar
    arjen_kuindersm
    Icon for Nimbostratus rankNimbostratus
    May 26, 2014

    When I use the ssldump command I also see the full certificate. So that probably means the part that prints the header doesn't work properly and set me on the wrong track. However, the server doesn't accept the client certificate. Is there a way to compare the exact headers between client<>f5 and f5<>webserver? I would like to compare them, I see a lot of examples with alternatives to 'X-ENV-SSL_CLIENT_CERTIFICATE'...

     

    I will have a look at the proxy-ssl. Didn't investigate this feature yet.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 26, 2014

    Is there a way to compare the exact headers between client-f5 and f5-webserver

     

    can you compare it in tcpdump? you have private keys to decrypt both sides of traffic, haven't you?

     

    if you want to log, is HTTP_REQUEST_SEND or HTTP_REQUEST_RELEASE event useful?

     

    HTTP

     

    https://devcentral.f5.com/wiki/irules.HTTP.ashx