Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Apr 24, 2023

Client-Certificate and IP-Whitelisting via Policy or iRule?

We have a requirement to verify for a valid client-certificate (not expired and issued from a trusted CA), but also accept a bypass if the source-IP is trusted. I have the following questions for the...
application delivery
client-certificate
irule
policy
security
  • Michael_Saleem's avatar
    Michael_Saleem
    Apr 25, 2023

    I would approach this by having two separate client SSL profiles - one without client authentication (bypass) and one with client authentication (require). And then use an iRule to switch between them based on the source IP.

    create ltm profile client-ssl CLIENTSSL-NO-CLIENT-AUTH defaults-from <PARENT CLIENT SSL PROFILE> cert-key-chain add { <CERT KEY CHAIN NAME> { cert <CERT NAME>.crt key <KEY NAME>.key chain <CA BUNDLE NAME>.crt } }

create ltm profile client-ssl CLIENTSSL-CLIENT-AUTH defaults-from <PARENT CLIENT SSL PROFILE> cert-key-chain add { <CERT KEY CHAIN NAME> { cert <CERT NAME>.crt key <KEY NAME>.key chain <CA BUNDLE NAME>.crt } } peer-cert-mode require ca-file <ROOT CA NAME>.crt

create ltm data-group internal DG-SSL-CLIENT-AUTH-BYPASS type ip records add { <WHITELISTED IP 1> <WHITELISTED IP 2> ... }

when CLIENT_ACCEPTED {
  set DEBUG 0
  set CLIENT_IP [IP::client_addr]

  if { [class match $CLIENT_IP equals DG-SSL-CLIENT-AUTH-BYPASS] } {
    # Skip SSL client authentication for whitelisted source IPs
    SSL::profile CLIENTSSL-NO-CLIENT-AUTH
    if { $DEBUG } { log local0. "$CLIENT_IP - SSL client authentication bypassed" }
  }
  else {
    # Enforce SSL client authentication for all other source IPs
    SSL::profile CLIENTSSL-CLIENT-AUTH
    if { $DEBUG } { log local0. "$CLIENT_IP - SSL client authentication enforced" }

  }
}
Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
May 10, 2023

Sorry for the late reply, but I'd like to inform you, that we have successfully implemented our requirement with the above mentioned iRule with a small difference.

  • As there needs to be a "default" clientSSL-profile configured directly on the VS, we decided to use here the more restrict one including the client-cert authentication.
  • Within the iRule we check the IP-whitelisting and if this is positive, we replace the clientSSL-profile to the one without client-cert authentication. So we are using no "else"-branch in the iRule as this is already the default from the VS-configuration.

Thanks again for your help!

Regards Stefan 🙂