Forum Discussion
Client Authentication - Trusted Certificate Authority
My website requires user authentication with user name and password. Example, www.mysiteABC.com. I want to allow users to access this as they normally do but if they were to go to www.mysiteABC.com/DEFG it would request them to provide a trusted certificate authority. I have sites that "require" this for the entire site \ VIP but I have never done one that is a "request" and process as normal if they do not provide the a trusted cert. Can anyone help with an irule for this?
my first instinct here would be to use and irule and the virtual command. These kinds of change in behavior mid flow on a single virtual has caused problems for me in the past.
Basically - SubVirtual1 would be set up with no Auth - SubVirtual2 would be set up with only Auth.
The make VIP using the address in DNS for www.mysiteABC.com would have an irule that would look something like this
when HTTP_Request { if { [string toupper [HTTP::url]] starts_with "DEFG") { virtual SubVirtual1 } else { virtual SubVirtual2 } }
- make that if { [string toupper [HTTP::url]] starts_with "/DEFG") {
- jermc777_185784
Nimbostratus
thanks for this response, I think the way your describe will work but I really would like to see this done with an Irule and not creating additional VIP's. If that fails I will try what you have above
- Amit_Karnik
Nimbostratus
I maybe wrong, but I am not sure if this is possible without a redirect and a connection closure.
Any iRule you do with the HTTP_REQUEST means that a valid TCP+SSL connection was already established potentially without a client side certificate. You cannot serve that HTTP request unless you force a SSL renegotiation and this time force a client certificate to be presented.
- jermc777_185784
Nimbostratus
I think it may be possible because this is in the client authentication description on F5.com.
The Request setting is often used in conjunction with iRules to provide selective access depending on the certificate presented. For example, this option would be useful if you would like to allow clients who present a certificate from the configured trusted CA to gain access to the application, while clients who do not provide the required certificate are redirected to a page that details the access requirements.
I would like the access requirements page to be the user name and password logon authentication page.
- Amit_Karnik
Nimbostratus
Ok you can definitely do what you are describing now. Setup your clientssl profile to "Request" instead of "Require" a client certificate.
This way the SSL handshake is successful for both end users which presented a certificate and those who did not.
In the CLIENTSSL_HANDSHAKE event, check if a certificate was presented and it matched any of your policies. Based on those checks setup a flag.
Now you can use the flag in the HTTP_REQUEST event to either provide access or redirect to an info page which tells users what they need.
Best.
- Brad_Parker_139
Nacreous
Give this a try:
when HTTP_REQUEST { if { [string toupper [HTTP::uri]] starts_with "/DEFG" }{ SSL::cert mode require } else { SSL::cert mode request } }
I don't have a good place to test this but, this make me think it could work.
https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx"the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event."
- jermc777_185784
Nimbostratus
I tried this but it did not seem to work. I set have my SSL profile to "request" then to "require" and I also tried to ignore in both of those statements above but the URL just hangs or is looking for a cert.
- Brad_Parker
Cirrus
Give this a try:
when HTTP_REQUEST { if { [string toupper [HTTP::uri]] starts_with "/DEFG" }{ SSL::cert mode require } else { SSL::cert mode request } }
I don't have a good place to test this but, this make me think it could work.
https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx"the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event."
- jermc777_185784
Nimbostratus
I tried this but it did not seem to work. I set have my SSL profile to "request" then to "require" and I also tried to ignore in both of those statements above but the URL just hangs or is looking for a cert.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com