For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Apr 03, 2006

Certificate Authentication Problem

In our environment, if you visit a virtual server hosting an application, the BIGIP will prompt for a client certificate and then authenticate that certificate against an LDAP database.     If t...
application delivery
dev
devops
iRules
William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jun 16, 2006
Colin, Thanks.

This is the iRule that we have attached to our authentication configuration. The Auth Config talks to LDAP and searches it for the entire binary contents of the passed-in certificate.


when CLIENT_ACCEPTED {        
        set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam default_ssl_cc_ldap]
     
    }
    when CLIENTSSL_CLIENTCERT {
        set cur [SSL::sessionid]
        set ask [session lookup ssl $cur] 
        if { $ask eq "" } { 
          session add ssl $cur [SSL::cert 0] 3601
          log local0. "added session id $cur"
         }
        AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
        AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
        SSL::handshake hold
    }
    when AUTH_SUCCESS {
        if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
            session add uie "cert_auth_failed" "false"
            SSL::handshake resume
        }
    }
        when AUTH_WANTCREDENTIAL {
        if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
            reject
        }
    }
    when AUTH_ERROR {
        if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} {
            reject
        }
    }

Note that we also have a Main iRule attached to the virtual servers that does other stuff. The AUTH_FAILURE event is in that iRule because we need to be able to use it to process redirects in the event of auth failures. It looks like this:


when AUTH_FAILURE
{
  if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}
    { 
      set auth_code 1
      log local0. "auth_failure - reject, auth_code is $auth_code"  
     }
    SSL::handshake resume
    session add uie "cert_auth_failed" "true"
 }

Now, you will notice that we do save the client certificate to the session table in the CLIENTSSL_CLIENTCERT event. We have tried to delete it from the table on an auth failure, but the problem I've described still persists. This is why I was thinking that the function in v9.2 (SSL::session invalidate) would help in that it might blow everything away and make the BIGIP think you never visited the first virtual server. But we still wonder if there is a way to accomplish this in the version we run (9.1.1)

Thanks - let me know if you would like to see more info.

-Bill