For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Marcin_01_16191's avatar
Marcin_01_16191
Icon for Nimbostratus rankNimbostratus
12 years ago

Client Certificate Authentication/Certificate in header PROBLEM

Hi everyone, I have big problem with f5. In my application I authentication users by their cert. Authentication is required in specified URL. Bellow my iRule. I have configured Client SSL Profile ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
12 years ago

Give this a shot. It's also a combination of all of your rules, so you can replace all of them for this one:

when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] < 1 } {
         if the client did not present a certificate - fail
        reject
    } else {
         set a temporary cert variable here
        set clientcertdata [X509::whole [SSL::cert 0]]
    }
    HTTP::release
}
when HTTP_REQUEST {
     get host header and disable STREAM
    set host [string tolower [HTTP::host]]
    if { $host eq "" } {
        set host [IP::local_addr]
    }
    STREAM::disable

     private URI space requested and F5AUTH cookie does not exist - prompt for client certificate
    if { not ( [HTTP::uri] equals "/favicon.ico" ) and ( [HTTP::uri] starts_with "/private" ) and not ( [HTTP::cookie exists F5AUTH] ) } { 
         invalidate SSL and renegotiate
        HTTP::collect
        SSL::session invalidate
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode require
        SSL::renegotiate
    } elseif { [HTTP::cookie exists F5AUTH] } {
         F5AUTH cookie exists - send HTTP header data
        if { [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]] ne "" } {
             insert cert subject          
            HTTP::header replace SSL-CLIENT-CERT [table lookup -subtable CERTDATA [HTTP::cookie value F5AUTH]]
        }
    }
}
when HTTP_REQUEST_SEND {    
    clientside {
        if { ( [info exists clientcertdata] ) and not ( [HTTP::cookie exists F5AUTH] ) } {
             send first header            
            HTTP::header replace SSL-CLIENT-CERT $clientcertdata
        }
    }
}
when HTTP_RESPONSE {
     process response payload with STREAM
    if { [HTTP::header value Content-Type] contains "text" and $host ne "" } {
        STREAM::expression "@http://$host @https://$host@"
        STREAM::enable
    }
     rewrite the redirect Location header if it exists
    if { [string tolower [HTTP::header Location]] starts_with "http://$host" } {
        HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
    }

     if the uniqueid variable is set - send the F5AUTH cookie to client
    if { [info exists clientcertdata] } {
         generate a GUID
        set uniqueid "_[string range [AES::key 256] 34 end]"

         insert the table entry
        table add -subtable CERTDATA $uniqueid $clientcertdata 3600

         send the cookie
        HTTP::header insert "Set-Cookie" "F5AUTH=$uniqueid; path=/; secure; HTTPOnly"

         unset the clientcertdata variable
        unset clientcertdata
    }
}

The iRule sets a cookie and stores the cookie data in a session table entry to guarantee that a) it always exists, and b) the user doesn't have to renegotiate SSL every time they attempt to access a private URI. You'll need to modify the URI condition above for your private URI patterns.