Forum Discussion

IRONMAN's avatar
IRONMAN
Icon for Cirrostratus rankCirrostratus
Sep 14, 2019

Client SSL Authentication info need to send back server, in HTTP header?

Any one guide me here,

I am having requirement to send the below headers to back-end servers with HTTP header, !

Client profile i am creating for Client Authentication with Request: method.!

Server side , i am not using any SSL profile, only plain HTTP.!

Like two below Headers need to insert:

X-SSL-Client-CN : xxxxxx.com

X-SSL-Client-SHA1 :c46bee94a8514d531f7385f95e53d96471e1f293

Below irule not giving expected results, hope need to change header names, please correct if any have idea

when CLIENTSSL_CLIENTCERT priority 100 {
    if {[SSL::cert count] > 0} {
        set clientCert [X509::whole [SSL::cert 0]]
        set clientCertSubject [X509::subject [SSL::cert 0]]
        set clientCertHash [X509::hash [SSL::cert 0]]
        foreach field [ split $clientCertSubject ","] {
            if {$field starts_with "CN="} {
                set clientCommonName [getfield $field "=" 2]
            }
        }
    }
}
 
when HTTP_REQUEST {
    if {([info exists clientCert]) && ($clientCert ne "")} {
        HTTP::header insert X-Client-Cert $clientCert
    }
 
    if {([info exists clientCommonName]) && ($clientCommonName ne "")} {
        HTTP::header insert X-Client-CN $clientCommonName
    }
 
    if {([info exists clientCertHash]) && ($clientCertHash ne "")} {
        HTTP::header insert X-Client-hash $clientCertHash
    }
}
application delivery
iRules
LTM
security
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Icon for MVP rankMVP
    Sep 16, 2019

    Hi IRONMAN,

    when CLIENTSSL_CLIENTCERT priority 100 {
    if {[SSL::cert count] > 0} {
        set clientCert [X509::whole [SSL::cert 0]]
        set clientCertSubject [X509::subject [SSL::cert 0]]
        set clientCertHash [X509::hash [SSL::cert 0]]
        foreach field [ split $clientCertSubject ","] {
            if {$field starts_with "CN="} {
                set clientCommonName [getfield $field "=" 2]
            }
        }
    }
}
 
when HTTP_REQUEST {
    if {([info exists clientCert]) && ($clientCert ne "")} {
        HTTP::header insert X-SSL-Client-Cert $clientCert
    }
 
    if {([info exists clientCommonName]) && ($clientCommonName ne "")} {
        HTTP::header insert X-SSL-Client-CN $clientCommonName
    }
 
    if {([info exists clientCertHash]) && ($clientCertHash ne "")} {
        HTTP::header insert X-SSL-Client-SHA1 $clientCertHash
    }
}
    • IRONMAN's avatar
      IRONMAN
      Icon for Cirrostratus rankCirrostratus
      Sep 16, 2019

      Please let me know, should i add below for set the $clientCertHash value from SSL?

       

       

      if {$field starts_with "CN="} {

              set clientCommonName [getfield $field "=" 2]

            }

      • Enes_Afsin_Al's avatar
        Enes_Afsin_Al
        Icon for MVP rankMVP
        Sep 16, 2019

        You should use it for clientCommonName (X-SSL-Client-CN)

        # for X-SSL-Client-CN

        set clientCertSubject [X509::subject [SSL::cert 0]]
foreach field [ split $clientCertSubject ","] {
    if {$field starts_with "CN="} {
        set clientCommonName [getfield $field "=" 2]
    }
}

        # for X-SSL-Client-SHA1

        set clientCertHash [X509::hash [SSL::cert 0]]