Forum Discussion

Karthik_Kumaran's avatar
Karthik_Kumaran
Icon for Nimbostratus rankNimbostratus
Mar 20, 2015

Insert Common Name Value to HTTP Header

We have a Virtual server that listens on 443, offloads-ssl and forwards connection to the server on 80. We want to insert the SSL certificate's Common-name in the http header, when the LTM send the connection to the backend servers on 80. so the backend servers is aware of the Common-name in the ssl transaction between the client and the LTM. Is there any options available in http profile or ssl profile for this, or can this be done using an iRule.

 

This is available in Cisco ACE as using "ssl header-insert client-cert Subject-CN" command in an action-list. Trying to identify how this can be done in LTM.

 

application delivery
deployment
devops
iRules
LTM

5 Replies

Sort By
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Mar 20, 2015

    I'm not where I can test it, but do these links help give you an idea on how to accomplish? Validate cert cn and the SSL::cert wiki page.

    Then you could use the command 

    HTTP::header insert name "SOMETHING" "VALUE"
    to insert a header into the request.

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Mar 21, 2015

    Hi Karthik,

    inserting this information requires a client-ssl profile (providing a server certificate to the client and requesting a client certificate by the server.

    The header insert also requires a http-profile.

    You can use an iRule to insert the header. Please adjust the header name according to your needs. 
    when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert 0] ne ""} {
         set ssl_clientcert_subject [X509::subject [SSL::cert 0]]
        set ssl_clientcert_subject_cn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
         set ssl_clientcert_issuer [X509::issuer [SSL::cert 0]]
         set ssl_clientcert_issuer_cn [findstr [X509::issuer [SSL::cert 0]] "CN=" 3 ","]
    }
}
when HTTP_REQUEST {
    if {[info exists ssl_clientcert_subject_cn]} {
        HTTP::header insert ClientCertSubjectCn "$ssl_clientcert_subject_cn"
    }
}

    Please note other interesting variables in this context: 

    HTTP::header replace "BIGIP_SSL_CIPHER_NAME" "[SSL::cipher name]"
HTTP::header replace "BIGIP_SSL_CIPHER_BITS" "[SSL::cipher bits]"
HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
HTTP::header replace "BIGIP_SSL_SESSIONID" "[SSL::sessionid]"

    I´m currently not sure about using white spaces in a header value (as it might be the case if the CN contains whitespace characters) and if it would be required to encode them.

    Thanks, Stephan
  • Karthik_Kumaran's avatar
    Karthik_Kumaran
    Icon for Nimbostratus rankNimbostratus
    Mar 26, 2015

    thanks for the responses Mike and Steve.

     

    Steve, in your iRule, the "when CLIENTSSL_CLIENTCERT" condition, does it make the header changes required during the LTM-to-backendPoolServer communication? In my case Client hits Virtual Server on 443, LTM does ssl-offload and transfers connection to backendPoolServer on 80. I want the CN insertion in the header while the LTM sends connection to backendPoolServer on 80.

     

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Mar 26, 2015
      Hi Karthik, yes, that´s exactly the expected behavior. In context of CLIENTSSL_CLIENTCERT the CN will be retrieved from the certificate send by the client and be stored in a variable. After the client has send an http request over the established connection the HTTP_REQUEST event will be fired and the header named "ClientCertSubjectCn" will be inserted with the value of the CN. Feel free to give another name to the header. I just picked this name as I do not know exactly the header name the ACE will use. After looking up the Cisco doc it looks like the header name is "ClientCert-Subject-CN". That´s why the relevant line would be changed into: HTTP::header insert ClientCert-Subject-CN "$ssl_clientcert_subject_cn" Thanks, Stephan PS: For testing proper client auth configuration in your client-ssl profile you may want to use the posted iRule (2nd one for SSL) in the following thread: https://devcentral.f5.com/questions/irule-to-emulate-web-server-in-lab-environment-plaintext-version-nossl