Forum Discussion

Kiran_Kumar's avatar
Kiran_Kumar
Icon for Nimbostratus rankNimbostratus
Aug 22, 2013

iRule to pass client ssl cert to the Application server(pool member)

Hi Friends,

 

Could you please assist me with an iRule to pass the client sslcert to the application server backend. I can think of an iRule passing info from certain fields in the ssl cert through the headers, but i am not sure how to pass on the entire cert itself to the application server. I would have done some research by my self, but given my time sensitive scenario, thought of seeking help from the group here. thank you for the help.

 

Regards KK

 

application delivery
design
devops
iRules
security

3 Replies

Sort By
  • Ken_49643's avatar
    Ken_49643
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2013

    Hi KK,

     

    You can pass the client cert via a header as follows:

     

    HTTP::header insert "SSL_CLIENT_CERT" [X509::whole [SSL::cert 0]]

     

    This will add the cert in its PEM encoding.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 22, 2013

    what about proxy ssl?

     

    sol13385: Overview of the Proxy SSL feature

     

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 23, 2013

    I would just add that the PEM format returned with [X509::whole [SSL::cert 0]] will have line breaks it. Example:

    ===== BEGIN CERTIFICATE =====
Hdurhdudjdushshsjejdushdudjs
Hsueyejsusuatagsidushsusjsjdu
...
===== END CERTIFICATE =====

    that would probably cause problems as a single HTTP header. I'd recommend either re-base64-encoding that value, or simply base64-encode the raw binary certificate and shove that into the header.

    HTTP::header insert "SSL_CLIENT_CERT" [URI::encode [b64encode [SSL::cert 0]]]