Forum Discussion
psor_73734
Nimbostratus
Nimbostratusclient certificate authentication for a particular directory
Hi
I need to use client certificate authentication for a particular directory, for example:
on
https://demo.com (no authentication needed)
https://demo.com/auth (we requiere to ask for client certificate with oscp verification)
I could configure it for entire URL but not for particular directory.
Is there any way to do that?
Thanks you
6 Replies
hoolioCirrostratus
Hi,
There are a few examples of this in the iRules forum and one in the Codeshare. You might need to tweak the rule based on which LTM version you are running. I should have an updated example to post in the next few weeks as well.
http://devcentral.f5.com/wiki/default.aspx/iRules/Make_BigIP_request_a_client_certificate_and_pass_it_to_application_code.html
Aaron
psor_73734Aaron,
I'm using LTM 9.44, I need to use ocsp verification, so for a particular directory (example.com/auth), but I dont know how to restrict this behavior (on ssl_profile) to a particular directory. I tried to use irule like this:
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
HTTP::release
}
}
when HTTP_REQUEST {
if {not ([HTTP::uri] starts_with "/abc/") }
{ if {[SSL::cert count] == 0} {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
But it dosen't work fine and it dosen't have the logic for ocsp verification.
Thanks you- hoolioIt would be good to upgrade to the latest 9.4.x version, 9.4.7 as there have been a number of important fixes since 9.4.4. For OCSP validation of the client cert, there is a default OCSP verification iRule provided. You can reference that for ideas to start with. Once I have a working version I can post that as well.
You may also want to change the cert mode from require to request so you can gracefully handle client requests which don't include a cert.
Aaron - psor_73734I understand what you mean, but If I use request mode, clients will always be prompted to present a client certificate for entire site.. that's not what I want.
Thanks you - hoolioYou'll need to set the client SSL profile to ignore client certs. In the iRule, after examining the requested URI and finding a request to a restricted URI, you'll want to renegotiate the SSL handshake with the client and dynamically set the client SSL filter to request a client cert. You can do this using:
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
Make sure to include 'SSL::session invalidate' to force browsers to renegotiate a new SSL session ID. Not all versions of IE will do this otherwise.
Aaron - psor_73734I will try it.
Thanks you araon
