Forum Discussion
Chris_Broomes
Altostratus
AltostratusClient certificate pass through
I am trying to pass a client certificate through the BIGIP to my backend system for client authentication without using APM. Any help would be appreciated.
You will want to looks at the SSL proxy feature it will allow the backend system to terminate the ssl connection while allow the LTM to decrypt the traffic.
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html?sr=33588210
Vincent_96223Cirrus
I don't know much about APM, but on BIGIP LTM, you can configure the VIP with type = Performance (L4). Not sure if the concept is the same on APM....- Kevin_Stewart
Employee
You could also very simply not apply a client and server SSL profile to the VIP. The SSL will pass straight through.
Chris_BroomesI need to be able to terminate SSL on the BIGIP and pass the client certificate
boneyardMVP
as mentioned before, check the SSL proxy setup then.
- Chris_Broomes
I was told that this iRule should do the trick by one of my colleagues:
when CLIENTSSL_CLIENTCERT {
log local0. "Debug: cert_counter : [SSL::cert count]" log local0. "Debug: client ip : [IP::client_addr]" log local0. "Debug: verify : [SSL::verify_result]"store the client certificate information in-memory if {[SSL::cert count] > 0}{ table set -subtable Cert_Data [SSL::sessionid] [list \ [SSL::verify_result] \ [X509::whole [SSL::cert 0]] \ [X509::subject [SSL::cert 0]] \ [X509::serial_number [SSL::cert 0]] \ ] 1200 } }
when HTTP_REQUEST { define values set no_cert "no_cert" set no_user "no_user"
remove SSL_CLIENT_CERT header HTTP::header remove SSL_CLIENT_CERT remove SSL_CLIENT_USER header HTTP::header remove SSL_CLIENT_USER
if {[SSL::sessionid] ne ""}{ set id [SSL::sessionid] read the client certificate information in-memory set the_cert [table lookup -subtable Cert_Data $id]
if {[lindex $the_cert 0] == 0 || [lindex $the_cert 0] == 21 || [lindex $the_cert 0] == 19 }{ convert from PEM to DER set the_cert_mod [b64encode [lindex $the_cert 1]] log local0. "Debug: sslsession $id" log local0. "Debug: the cert 0 : [lindex $the_cert 0]" log local0. "Debug: the cert 2 : [lindex $the_cert 2]" log local0. "Debug: the cert 1 : $the_cert_mod" get the CN or user from the subject set the_user [findstr [lindex $the_cert 2] "CN=" 3 ","] copy the whole certificate in DER format to the header HTTP::header insert SSL_CLIENT_CERT $the_cert_mod copy the username to the header HTTP::header insert SSL_CLIENT_USER $the_user log local0. "Debug: SSL_CLIENT_CERT : [HTTP::header value SSL_CLIENT_CERT]" log local0. "Debug: SSL_CLIENT_USER : [HTTP::header value SSL_CLIENT_USER]" }} }
- Kevin_Stewart
I think maybe your problem description was a little confusing. You can certainly use the above rule to pass certificate data to the server as HTTP headers, but that's not technically a "pass through". Once you've terminated the SSL on the client side of the VIP, even if you re-encrypt, you cannot send the client's cert to the server in an SSL handshake. You can send it in an HTTP header though.
