Forum Discussion
dave_keitges_20
Nimbostratus
NimbostratusAfter terminating at the LTM to do mutual auth can you insert the client cert into the tcp header
I have a application that uses the LTM to terminate the ssl connection to check the client cert for mutual authentication to make sure it is from the company it says it is from. The app on the server side wants the cert to be injected into the header so they can look/do something with it. Can a cert fit in the header and is this doable?
2 Replies
- Kevin_Stewart
Employee
Absolutely, and it's a fairly common use case.
when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]] } } 
Lee_SutcliffeNacreous
Sure, you can use this method to attempt to get the certificate from CLIENTSSL_CLIENTCERT, if that fails you can extract it from HTTP_REQUEST.
proc getCert {} { if {[SSL::cert count] > 0} { validate certificate 0 = OK if {[SSL::verify_result] == 0} { set cert [X509::whole [SSL::cert 0]] } else { set result ERROR } } else { set result ERROR } return $result } when CLIENTSSL_CLIENTCERT priority 100 { validate and get retrieve certificate set x509certificate [call getCert] } when HTTP_REQUEST priority 100 { if {!([info exists x509certificate])} { set x509certificate [call getCert] } if {$x509certificate eq "ERROR"} { log local0. "[IP::client_addr]:[TCP::client_port] Bad certificate, rejecting connection" HTTP::respond 403 content "Connection forbidden - invalid certificate" return } else { log local0. "[IP::client_addr]:[TCP::client_port] Client Certificate Accepted, inserting header" HTTP::header insert SSL_X509 $x509certificate } }
