Forum Discussion
sgnormo
Cirrus
CirrusC3D and header insert
Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module. Since the customers backend requires a user certificate I explained to the user there are two options that can be utilized.
Option 1 (preferred) the F5 prompts the user for their certificate, then the F5 performs a header insert to the backend systems (Apache) and then it is up to the customer to extract the certificate from the incoming packets. The user certificate will be the original user certificate (not modified). The backend servers must not send the "certificate request" or else the SSL negotiation will be terminated because the F5 will send a self signed cert.
Option 2 (less preferred) is C3D. The customer puts the F5 certificate that will be used for signing into their backend store as a trusted CA. When the user connects the F5 prompts the user for their certificate. Then the F5 communicates to the backend server and the backend send the "certificate request". F5 will resign the user certificate and send the certificate with the F5 being the certificate signer.
Customer said their Apache must prompt for the certificate, so have C3D setup on the F5 and the F5 is sending the resigned user certificate. When the customer Apache server sends that resigned certificate to the Oracle backend the Oracle refuses the certificate because the customer is storing the original user certificate in the Oracle backend.
I asked why does the Oracle backend need the full certificate, the Oracle can be configured to just use the CN from the certificate. Customer answer is because that is how it works.
So now the customer wants to utilize C3D and have the F5 perform a header insert of the user original certificate, I am not sure if that can be done. Even then just does not make any sense and makes things more complicated than required.
If I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.
Amine_KadimiMVP
This is a typical scenario where I would use the proxy ssl feature of client and server ssl profiles.
From the KB: "The Proxy SSL feature enables the BIG-IP system to optimize SSL traffic between the client and the destination server, without terminating the SSL connection on the BIG-IP system"
ASM inspection and other L7 features are supported.
sgnormoIf i reading the KB correctly the backend server will perform the client authentication, but in my environment the F5 must handle the user authentication and the F5 will pass the user certificate to the node.
Not a bad option, just that it allows direct communications between the client and backend server.
- Amine_Kadimi
My bad, I misunderstood the customer requirement. If I understand correctly, they want the exact certificate presented by the client to be presented by F5 as part of the ssl handshake process with the server. For me, this seems to break the whole ssl security process, and if technically permitted it would clearly make mitm attacks easier as any inline equipment can terminate the ssl communication and start a new one server side with the original certificate impersonating the client.
As for c3d, it's a feature that helps reusing the fields from the client certificate to forge a new client certificate and send it to backend servers.
Your customer should understand the security concerns with such a requirement.
Just my two cents. I hope DC experts can give you a better solution.
- Nikoolayy1
You can use the SSL::cert variable and then at an event like HTTP_REQUEST_RELEASE or HTTP_REQUEST_SEND to insert the cert in an HTTP header with a name you like that will be just send to the server without the client seeing but as Amine_Kadimi said what is the point of F5 checking the Cert and then the end servers to again check it.
Don't get me wrong as I had similar request by a client for F5 APM to act as an F5 Oauth Client/Resource server together with Azure AD as an Oauth Authorization server and to also forward the Azure AD signed JWT access token with Oauth SSO in "passthrough" mode to the end servers so that they can also validate it if it is signed by Microsoft but I tried to explain to the customer that this is strange 😀
Maybe as with the Oauth JWT token that has info like ad username/ad group/email etc. in my case the end application may use something in the cert like the CN to show a custom page to the user but then see X509::subject command and forward just that part to the pool members not the entire cert.
https://clouddocs.f5.com/api/irules/SSL__cert.html
https://clouddocs.f5.com/api/irules/HTTP_REQUEST_RELEASE.html
https://clouddocs.f5.com/api/irules/HTTP_REQUEST_SEND.html
https://clouddocs.f5.com/api/irules/X509__subject.html
https://clouddocs.f5.com/api/irules/X509.html
https://support.f5.com/csp/article/K14204621
- sgnormo
The attached file shows the two solution scenarios presented to the customer. I did present the F5 performing a header insert and then their Apache server would take the user certificate out and then pass the user certificate to Oracle. I explained to them that their Apache server should not send a certificate request because the F5 will send a self-sign cert and the Apache will end the ssl negotation because the Apache server will see the certificate signer and respond back with unknown ca.
The customer said their Apache server must prompt for a user certificate.
No matter what the F5 must perform break and inspect and there is no direct communications between the user web traffic and the backend servers.
- Kevin_Stewart
Employee
If I may add,
Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.
Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.
