Forum Discussion

sgnormo's avatar
sgnormo
Icon for Cirrus rankCirrus
Nov 25, 2022

C3D and header insert

Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module.  Since the customers backend requires a user certificate I explained to the user the...
announcement
application delivery
cloud
devops
event
Security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Nov 28, 2022

    If I may add, 

    Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.

    Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP

You can use the SSL::cert variable and then at an event like HTTP_REQUEST_RELEASE or HTTP_REQUEST_SEND to insert the cert in an HTTP header with a name you like that will be just send to the server without the client seeing but as Amine_Kadimi said what is the point of F5 checking the Cert and then the end servers to again check it.

Don't get me wrong as I had similar request by a client for F5 APM to act as an F5 Oauth Client/Resource server together with Azure AD as an Oauth Authorization server and to also forward the Azure AD signed JWT access token with Oauth SSO in "passthrough" mode to the end servers so that they can also validate it if it is signed by Microsoft but I tried to explain to the customer that this is strange  😀

 

Maybe as with the Oauth JWT token that has info like ad username/ad group/email etc. in my case the end application may use something in the cert like the CN to show a custom page to the user but then see X509::subject command and forward just that part to the pool members not the entire cert.

https://clouddocs.f5.com/api/irules/SSL__cert.html

https://clouddocs.f5.com/api/irules/HTTP_REQUEST_RELEASE.html

https://clouddocs.f5.com/api/irules/HTTP_REQUEST_SEND.html

https://clouddocs.f5.com/api/irules/X509__subject.html

https://clouddocs.f5.com/api/irules/X509.html

https://support.f5.com/csp/article/K14204621

 

 

sgnormo's avatar
sgnormo
Icon for Cirrus rankCirrus
Nov 28, 2022

The attached file shows  the two solution scenarios presented to the customer.  I did present the F5 performing a header insert and then their Apache server would take the user certificate out and then pass the user certificate to Oracle.  I explained to them that their Apache server should not send a certificate request because the F5 will send a self-sign cert and the Apache will end the ssl negotation because the Apache server will see the certificate signer and respond back with unknown ca.

The customer said their Apache server must prompt for a user certificate.

No matter what the F5 must perform break and inspect and there is no direct communications between the user web traffic and the backend servers.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 28, 2022

    If I may add, 

    Proxy SSL would only be useful if a) you could guarantee only (legacy) RSA TLS handshakes, and b) you had a copy of the backend server's private keys. Proxy SSL can only be used with RSA handshakes, so would never work with most modern crypto, including TLS1.3.

    Nikoolayy1 has the right answer. Because C3D is actively decrypting the traffic in the proxy, you can add an HTTP profile and use HTTP iRules here to inject HTTP headers.