Forum Discussion
AltostratusClient SSL cert Move Traffic To CDN -
hi all, i move the app to CDN before the CDN the BIGIP will check the client SSL cert and base on URI allow to access to the site,
(some of uri work without the client ssl, and some uris work only if the client ssl verify),
Now in CDN we can only request (and not required ) the client ssl but not enforce the PKI check - and insert it via HTTP header,
How i can check if the Client SSL that CDN give me via header trust my CA?
( I don't want to look only for CN because attacker can make a fake client cert with the same CN )?
Does someone have any idea?
spalandeNacreous
Is BIGIP still in the new traffic flow?
client --> CDN --> BIGIP --> Origin server
Is yes, I guess you would not cache the uri which needs mTLS (client certificate authentication) at CDN level and that would be forwarded to the BIGIP. If this is the case, you can still use client certificate authentication on BIGIP. Or did I understood it wrong?
If BIGIP is not in the traffic flow for CDN and below is the traffic flow
client --> CDN --> Origin Server
Then you would need to see the option at CDN level to parse the client certificate and extract the values from it e.g. SubjectDN, Issuer, serial number and added in HTTP headers. These can be checked on the origin server for authorisation.
igorzhukCurrent state is client --> BIGIP --> Origin Server
today BIGIP make a client cert request and i allow base on uri who can access to some URLs without Cert and some of URLs i Validate Client certificate and allow only if the client cert valid
The further state
The Flow will be: client --> CDN --> BIGIP --> Origin server
we will move the (client certificate authentication) at CDN
but in the CDN we can't make (like irule check the Certificate Validation base URI)
we can make a client certificate request and if the client give the certificate inseat the certificate via HTTP header to bigip
(the CDN not make a PKI validation of the client certificate) in "Request" mode of the client certificate
the CDN can validate the client cert only if I work in Required mode of client cert - but its not good for us because we allow some of uri that work without CERT
now the question is if I BIGIP getting the CERT in HTTP header in base64
how I can validate that is trunst certificate but not only via Subject - I need to validate this is the certificate that my CA is give to client
- spalande
Serial number or thumbprint are also the unique values. Can CDN send those in http headers to BIGIP?
- igorzhuk
F5 can send all the client cert in base64 to me
but how I can validate in the bigip?
i will need to add all SN in the DATAGROUP ? if I generate customer certificate (like attacker) the SN cant be same?
- spalande
Yes. You would need to build the data group of all valid client certificates.when BIGIP receives the details of the certificate it would match against the known records and take action if either allow or reject. This needs to be done using an iRule.
Serial number is unique per certificate so if someone try to spoof the certificate also SubjectDN (common name) can be the same but Serial Number won't match.
Following are the unique values of the certificate.
- SubjectDN and Issuer CA (combination)
- Serial Number
- Thumbprint