Forum Discussion
alanjohnson7467
Cirrus
CirrusExtract SAN from Client SSL Certificate & Insert into HTTP Header
Hi folks,
I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requirement. Can anyone help me come up with an iRule or LTM Policy to extract the SAN/CN from the client SSl cert and insert it as a HTTP header? Here's some additional info from Slack:
Configure your TLS-terminating server to request client certificates. Your server should accept client certificates issued by DigiCert SHA2 Secure Server CA, an intermediate CA under DigiCert Global Root CA. These CAs are included in many standard CA certificate bundles.
1- Extract either of the following fields in the certificate.
Subject Alternative Name: DNS:platform-tls-client.slack.com. By RFC 6125, this is the recommended field to extract.
or Subject Common Name: platform-tls-client.slack.com.
2- Inject the extracted domain into a header, and forward the request to your application server. Here's an example header you might add to the request: X-Client-Certificate-SAN: platform-tls-client.slack.com. Whatever you choose to call your header, check to make sure this header hasn't already been added to the request. Your upstream application server must know that the header was added by your TLS-terminating server as part of the Mutual TLS process.
When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.
when HTTP_REQUEST { if {[SSL::cert 0] ne ""}{ set tmpcn [X509::subject [SSL::cert 0]] set cn [findstr $tmpcn "CN=" 3] HTTP::header replace X-Client-Certificate-SAN $cn } else { HTTP::header remove X-Client-Certificate-SAN } }My test results.
curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json {"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}Here's what my config looks like.
ltm virtual test_vs { creation-time 2019-08-27:10:03:53 destination 192.168.1.200:pcsync-https ip-protocol tcp last-modified-time 2019-08-27:10:20:58 mask 255.255.255.255 pool slack_pool profiles { http { } mtls_clientssl { context clientside } tcp { } } rules { slack2 } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 3 } ltm profile client-ssl mtls_clientssl { app-service none authenticate-depth 0 ca-file f5ca cert-key-chain { default { cert default.crt key default.key } } defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain true peer-cert-mode require } ltm rule slack2 { when HTTP_REQUEST { if {[SSL::cert 0] ne ""}{ # extract SAN set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","] # remove DNS: prefix set san [findstr $santemp "DNS" 4] # insert X-Client-Certificate-SAN header HTTP::header replace X-Client-Certificate-SAN $san } else { HTTP::header remove X-Client-Certificate-SAN } } }
- Eric_Chen
Employee
I created the following codeshare example that does what is required to generate the X-Client-Certificate-SAN: https://devcentral.f5.com/s/articles/Slack-Mutual-TLS-Recipe-Adding-X-Client-Certificate-SAN-header-from-client-certificate
alanjohnson7467Hi Eric,
Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:
platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature
...do have any suggestions on how to remove the extra info in the value?
Thanks!
- Eric_Chen
Can you send me a sample of your iRule? It is "weird" that it is grabbing that extra information. If you have a way to dump a copy of the Slack cert it would help. Here's my "test" cert that I have been using.
-----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIUWzmeqJiZXLywAc2KXLDkQpdGX1wwDQYJKoZIhvcNAQEL BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X DTE5MDcxMDE2MjUwMFoXDTI0MDcwODE2MjUwMFowKDEmMCQGA1UEAxMdcGxhdGZv cm0tdGxzLWNsaWVudC5zbGFjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCzuteu/69oCkhHe7gmyqo+m3BIs73WN419bKt0piYL/qkq6jkZydjq 5cq0Ne/6og9tXvzwX/B00+kyuccq0kv+lBFXSvO6N4mx5CZCWBmGGcEqCQ82lTwZ B9SE7vsk1kG9WxxMR3M65fEC6mzPNpy7SDj33pGnkpwkmDbvGY45uqYWG8oRxUEV wfU+HkjkuK6Ny9Ag5n+2naDblkpVfebEXaFqzjdUyuRL8ACpX2u9TW9H6crt08Gc rNctNwS5HWuntf9XaMFUQeesnCTggfCRvQkFr4D3AalpZGEuBC7mp8CJhG7gFLbz zzwdK+i+q9Q/FDMts3F067Rb9/AYi7CfAgMBAAGjgaowgacwDgYDVR0PAQH/BAQD AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MB0GA1UdDgQWBBT19sITL/5oD6wi+PTEI/XSA0dwnDAfBgNVHSMEGDAWgBRkzB44 eEQlLGaY1CwbuiVRM/cPijAoBgNVHREEITAfgh1wbGF0Zm9ybS10bHMtY2xpZW50 LnNsYWNrLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEADPscLML2jmY6byf306FVmtUV YT/2COAEySdGbmXm2rAeuINyFCOypNg/RhBIi9WyicicHVFjpskVizli+Qaom90h L1g7MbMhqGL6jUGp81+L4ZJDlQXeJSDu9/KPg1FdiJdK/fe0kQoFFU7ENAjUpclt 7tYtlSQ6idVESZOzPk1Fu7/YCMtiWKNBPnF13fic4rF9Rg/wnX/Ct2Ji/WUSiQ/2 9gZX+YHPm3qm4DFn2fJV6gFKurWyClIai0AX1/+C4rpUJvWi2U/CElAcy4YNm7Vv ON34sdFIMmfwLksKvA5AuNXFLefc7x/5PaBsDF26syv+NkVcyMjoiQ2T9QtoAQ== -----END CERTIFICATE-----and my test CA
-----BEGIN CERTIFICATE----- MIIDpjCCAo6gAwIBAgIUSpuabxnXu19oLF0fLKu17PNAtqEwDQYJKoZIhvcNAQEL BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X DTE4MDQyMDA2NDMwMFoXDTIzMDQxOTA2NDMwMFowWTELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1 IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA5B7v5d/xsEWcmLfhtHDZAE8vAn3qmiEMLT5lFSdxzCg6h0JkqeDF iv50OGW00h2almjgEDMW+ldmjW+bSlWz5kpqdmzTXLnmw6/UN4Da+8odsw0abplS 6DNz/xjWcdw4YiLFY167AmtDUNXaJ/jTBAgWGYJy/rl2u1vpi1CWiJozpR/g/Jsb bAxPXG54ZZi2yUbCVh12DmjAqBfU3LFCvvOQHYyjCon76sLnXifrWSjb8EOVJZc8 Vw3IdRq0vf74Q62RgQXNAd1G5hme7kl/RdrrWqxlxCK8XXU2RSVnAX5baVxY/HC0 lvXKsfFbJec+DkTAaZLZN4KJLfkvoylLXQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZMweOHhEJSxmmNQsG7ol UTP3D4owHwYDVR0jBBgwFoAUZMweOHhEJSxmmNQsG7olUTP3D4owDQYJKoZIhvcN AQELBQADggEBAN0914undNu7bLOk+wVOTvfkL14jAoRCmv/rQBwvJoWNuU7d7TKk D0SZ/GME8kNg9RIAY/POCTiISrORIkoMwt4eLv0bDejualvJ7MwqOvgdFby6BuGg 5dVioFfcwQA/i4L0smHX8QY+w8+RlD7DZnHKcx/C7sPHCkrqmLYLDQSalvv8KgwF mBB/SBS/yACKpaJPCC3Vlj7aPt5aS6GmH25LpAeDM7LLrDHLj+osLbhkGou0ifYy 8RelfbJlI37NjVMJRWF1EsuSG0xYJPFg9/nqM6UPUHxLx+MmSJ6ibBj6MF6cYkKQ 5Okq/kt3E65/mPltGVmGYPFzwfqLIJFx13E= -----END CERTIFICATE-----
- alanjohnson7467
Thank you so much Eric! I really appreciate it.
Best wishes,
Alan