NimbostratusCreate custom Client Certificate Authentication with iRule?
We currently run 11.4.1 and have a Client Certificate Authentication profile enabled on a virtual server that works fabulous. However, we have been asked if we can somehow selectively choose by uri/path which to use Client Certificate Authentication. I've looked around the irule forums and I don't see anything that addresses the TrustedCA portion. We would still like to leverage the TrustedCA exchange and authentication piece, but be able to parse thru the uri to allow certain directories to pass unauthenticated. For example, 2 clients are hitting the same service CompanyA and CompanyB.
CompanyA - Doesn't need 2way SSL when hitting directory /companyA/
CompanyB - Must have 2way SSL when hitting directory /companyB/
It seems as though the SSL client profile for CCA is part of the SSL negotiation and will not allow the non 2way client (companyA) to pass-thru successfully to reach the irule configured below. Any suggestions?
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/pattern" } { HTTP::collect SSL::cert mode require SSL::renegotiate set ssl_cert [SSL::cert 0] set isMatch 0 set org "Company name" set locality "Warszawa" set name "www.f5.net" set country "PL" set issorg "“Thawte Consulting (Pty) Ltd." set isscn "Thawte SGC C" set issctr "Us" set subject_dn [X509::subject $ssl_cert] set issuer_dn [X509::issuer $ssl_cert] log "Client Certificate Received: $subject_dn, $issuer_dn"
if { [$subject_dn matches $org] and [$subject_dn matches $locality] and [$subject_dn matches $name] and [$subject_dn matches $country] and [$issuer_dn matches $issorg] and [$issuer_dn matches $isscn] and [$issuer_dn matches $issctr] } { log "Client Certificate Accepted: $subject_dn, $issuer_dn" set isMatch 1 pool TestSSL } if { $isMatch == 0 } { log "No Matching Client Certificate Was Found Using: $subject_dn" reject } } else { pool TEST } }
