Forum Discussion
Client Authentication with certificate on one URI only
- Oct 27, 2022
Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.
If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).
I think this problem was already on the forums:
https://community.f5.com/t5/technical-articles/selective-client-cert-authentication/ta-p/275555
when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST { if { [matchclass [HTTP::uri] starts_with $::requires_client_cert] } { if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } }
- tub91Oct 21, 2022Cirrus
Hi mihaic
Thank you for your answer. However, we would like to avoid using SSL Renegotiation.
Is there any way to do this through the APM?
- Kevin_StewartOct 27, 2022Employee
Just to quickly follow up on this question, the answer depends on when. From an OSI perspective, by the time you've reached the HTTP uri, the TLS handshake is already done, so you really don't have any other option but to perform renegotiation. Since the client and BIG-IP have already established a TLS session (without cert auth), you basically have to tell the client to start a new TLS handshake, while you flip on the cert auth option. Even APM does this for things like On-Demand Cert Auth, that happen after initial TLS handshake and after the access policy has started.
If you can get to the data you're looking for before the TLS handshake finishes, like looking at the SNI in the layer 4 TCP payload, then it would be possible to switch client SSL profiles (between auth and non-auth SSL profiles).
- iaineOct 25, 2022Nacreous
Do your clients support SNI? If so, you could have two SSL profiles attached to your VIP. The default one would for your 4 websites and the SNI one would be for your site that requires Client Cert auth and so would have this option set to require. The default SSL profile would have Client Cert set to Ignore
You could do this via APM I guess - if the requested HTTP Host equals the 5th site then you could enable APM and insert an On Demand Client Cert object
- tub91Oct 25, 2022Cirrus
Hi iaine
Using the "Request" in the Client Authentication section of the SSL Client profile and entering the CA that issued the certificate, we were able to obtain the expected result.
Obviously we then set up an iRule that verifies and allows access to the single URI on which the authentication with certificate must be.
I have explained the implemented flow in more detail here. Thank you for your interest
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com