Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 05, 2019

Client Cert validation

Trying to understand the Logistics here in KB Article - https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html

 

     #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      #Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains my_cn_list]) and ($subject_dn contains $static::org) } {
         #Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }

 

With this code. Does the F5 just automatically just Accept the Client Cert and pass the user on to the HTTP_REQUEST portion of the irule if it's matching the DataGroup List here or does some action need to happen within the Client Cert Section of the If statement to pass on the data?

 

 

devops
iRules
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Dec 06, 2019

     

    when CLIENTSSL_CLIENTCERT {
    set s_dn [X509::subject [SSL::cert 0]]
    set s_serial [X509::serial_number [SSL::cert 0]]
    log local0. "Client Certificate Received: $s_dn"
    if { $s_dn != "" }{
        if { ([matchclass $s_serial contains DatagroupS]) } {
            #Accept the client cert
            log local0. "Client Certificate Accepted: $s_serial"
        } else {
            reject
            log local0. "Failed Cert Auth - No Certificate"
        }
    } else {
        reject
    }
}

     

    Try this, it should work 🙂

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Dec 06, 2019

     

    when CLIENTSSL_CLIENTCERT {
    set s_dn [X509::subject [SSL::cert 0]]
    set s_serial [X509::serial_number [SSL::cert 0]]
    log local0. "Client Certificate Received: $s_dn"
    if { $s_dn != "" }{
        if { ([matchclass $s_serial contains DatagroupS]) } {
            #Accept the client cert
            log local0. "Client Certificate Accepted: $s_serial"
        } else {
            reject
            log local0. "Failed Cert Auth - No Certificate"
        }
    } else {
        reject
    }
}

     

    Try this, it should work 🙂

  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Dec 05, 2019

    Hi

     

    This just matches the CN and ORGANISATION of a certificate to values stores in a datagroup and static variable. If OK, the request will be release to the backend.

     

    But note this requires first that the SSL profile assigned to the virtual servers accepts the client certificate provided by the client, depending on how your SSL Profile is configured :

    • Trusted CA
    • CRLs...

     

    To summerize :

    • If client cert authentication is enabled in your clientssl profile
    • If the client cert issuer is trusted in your clientssl profile
    • If the client cert is not in the revocation list (if you configured one in your clientssl profile)
    • If the CN is in the datagroup list
    • If the ORG matches the static variable value

     

    The the processing will continue

     

    Hope this makes it clearer. Let us know if not

     

    Yoann

    • 2019F5DevCentra's avatar
      2019F5DevCentra
      Icon for Cirrus rankCirrus
      Dec 05, 2019

      In looking at the code, I seem to be having an issue with the way I'm requesting data.

      If I want to get Multiple Certificates from Multiple Orgs to be able to access my application and within ClientSSL Profile I have only enabled the "Request" feature. I just want a general Client SSL Profile to Request the Certificate and then pass onto the iRule. If the Client Subject DN matches to my data group then allow traffic to pass. I seem to be having issues somewhere here.

       

         #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      #Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains my_cn_list]) } {
         #Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }

       

      In my logging with the Subject Matching, I get the Log indicating it did match, but then the script also flows through the reject statement and I see the No matching Subject, and traffic is rejected.

       

      What am I missing here.

       

    • 2019F5DevCentra's avatar
      2019F5DevCentra
      Icon for Cirrus rankCirrus
      Dec 05, 2019

       

      when CLIENTSSL_CLIENTCERT {
 
    set s_dn [X509::subject [SSL::cert 0]]
 
    set s_serial [X509::serial_number [SSL::cert 0]]
 
	  log local0. "Client Certificate Received: $s_dn"
 
	  if { $s_dn != "" }{
 
          	 if { ([matchclass $s_serial contains DatagroupS]) } {
 
                 #Accept the client cert
 
                 log local0. "Client Certificate Accepted: $s_serial"
 
             } 
 
	  }
 
     reject
 
     log local0. "Failed Cert Auth - No Certificate"
 
     
 
}