Forum Discussion

R_Marc's avatar
R_Marc
Icon for Nimbostratus rankNimbostratus
Jun 13, 2014

iRules MSSL client cert detection

Problem: I have an SSL mutually authenticated web service. The BigIP is serving only as a TCP load balancer. The BigIP is in one arm mode. I need to identify the client IP with a client cert/identity.

 

This worked, though I'm sure it's a horrible hack of code:

 

when CLIENT_DATA {
  if { [string tolower [TCP::payload]] contains "users" } {
      set s [TCP::payload]
      regsub -all {[\u0000-\u001f\u007f]+} $s "" s
      regsub -all {[^\u0020-\u007e]+} $s "" s
      regsub -all {[^a-zA-Z0-9\. ]} $s "" s
      log local0. "$s [IP::client_addr] [LB::server addr]:[LB::server port]"
  }
  TCP::release
  TCP::collect
}
when LB_SELECTED {
  log local0. "-"
  TCP::collect
}

In my case, the client certs all have an OU with "users", which is why I'm searching for that.

 

the output looks like (output edited for your protection):

 

Jun 13 04:08:29 bip info tmm11[14332]: Rule /Common/get-client-cert-rule : 00Em05FX20H010dcom10dcompany10UCompany10USomething10USubordinate CA0120329144554Z160328144714Z010dcom10dcompany10dips1402UCompany External Web Service10Uusers10U900617.KeyClientCustTest00H0b.SUwzMN2xaaA8ACdKSybNurwMdoJDL217foWfi1i9gVTyfSQ0YENSAfG2.cT. e00U0CxKeSUMz0U00U 00H003httpcertificates.company.comCPS000Company0The Company Certification Practice Statement governs this certificate and is incorporated by reference herein. Limited Liability0CU008642httpblah.company.comPRDCRLEXCCRL.crl0U00U0HB0UyqhL90HJXsw.ZAwhxK2ANjN8BrXI9U Asdvq 10.0.0.1 10.0.1.2:443

I'm open to better ways of doing this.

 

No RepliesBe the first to reply