For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Skuba_85554's avatar
Skuba_85554
Icon for Nimbostratus rankNimbostratus
Aug 11, 2009

bypassing client authentication

i've got a virtual server listening on 443 which uses both a certificate for SSL and also requires client authentication. this works fine     i've now been informed of another set of users ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 21, 2009
Hi Skuba,

 

 

You could add logic in CLIENTSSL_HANDSHAKE to check for clients making a request with no cert after the renegotiation. You could also validate the client cert against either the SSL cert in the client SSL profile or using a trusted CA cert. You can use the SSL::verify_result (Click here). You'd probably also want to check the AUTH::status value in AUTH_RESULT to see whether the OCSP validation was completed successfully.

 

 

Note there is an issue where you can't differentiate between no response and a revoked status from the OCSP responder using AUTH::status. F5 is tracking this in CR126501. A workaround is to create a pool containing the OCSP server IP address(es) and then use a monitor to check the status of the pool. You can then use [active_members $ocsp_pool] in your iRule to detect whether the OCSP servers are down.

 

 

Aaron