Forum Discussion

alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus
Jul 10, 2019

Extract SAN from Client SSL Certificate & Insert into HTTP Header

Hi folks, I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requir...
application delivery
iRules
LTM
ltm policy
security
  • Eric_Chen's avatar
    Eric_Chen
    Aug 28, 2019

    When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.

    when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    set tmpcn [X509::subject [SSL::cert 0]]
    set cn [findstr $tmpcn "CN=" 3]
    HTTP::header replace X-Client-Certificate-SAN $cn
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}

    My test results.

     curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}

    Here's what my config looks like.

    ltm virtual test_vs {
    creation-time 2019-08-27:10:03:53
    destination 192.168.1.200:pcsync-https
    ip-protocol tcp
    last-modified-time 2019-08-27:10:20:58
    mask 255.255.255.255
    pool slack_pool
    profiles {
        http { }
        mtls_clientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        slack2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 3
}
 
ltm profile client-ssl mtls_clientssl {
    app-service none
    authenticate-depth 0
    ca-file f5ca
    cert-key-chain {
        default {
            cert default.crt
            key default.key
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    peer-cert-mode require
}
 
ltm rule slack2 {
when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    # extract SAN
    set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
    # remove DNS: prefix
    set san [findstr $santemp "DNS" 4]
    # insert X-Client-Certificate-SAN header
    HTTP::header replace X-Client-Certificate-SAN $san
 
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}
}
alanjohnson7467's avatar
alanjohnson7467
Icon for Cirrus rankCirrus

Hi Eric,

 

Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:

 

platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature

 

...do have any suggestions on how to remove the extra info in the value?

 

 

Thanks!

Eric_Chen's avatar
Eric_Chen
Icon for Employee rankEmployee
Aug 27, 2019

Can you send me a sample of your iRule? It is "weird" that it is grabbing that extra information. If you have a way to dump a copy of the Slack cert it would help. Here's my "test" cert that I have been using.

-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIUWzmeqJiZXLywAc2KXLDkQpdGX1wwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
DTE5MDcxMDE2MjUwMFoXDTI0MDcwODE2MjUwMFowKDEmMCQGA1UEAxMdcGxhdGZv
cm0tdGxzLWNsaWVudC5zbGFjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCzuteu/69oCkhHe7gmyqo+m3BIs73WN419bKt0piYL/qkq6jkZydjq
5cq0Ne/6og9tXvzwX/B00+kyuccq0kv+lBFXSvO6N4mx5CZCWBmGGcEqCQ82lTwZ
B9SE7vsk1kG9WxxMR3M65fEC6mzPNpy7SDj33pGnkpwkmDbvGY45uqYWG8oRxUEV
wfU+HkjkuK6Ny9Ag5n+2naDblkpVfebEXaFqzjdUyuRL8ACpX2u9TW9H6crt08Gc
rNctNwS5HWuntf9XaMFUQeesnCTggfCRvQkFr4D3AalpZGEuBC7mp8CJhG7gFLbz
zzwdK+i+q9Q/FDMts3F067Rb9/AYi7CfAgMBAAGjgaowgacwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT19sITL/5oD6wi+PTEI/XSA0dwnDAfBgNVHSMEGDAWgBRkzB44
eEQlLGaY1CwbuiVRM/cPijAoBgNVHREEITAfgh1wbGF0Zm9ybS10bHMtY2xpZW50
LnNsYWNrLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEADPscLML2jmY6byf306FVmtUV
YT/2COAEySdGbmXm2rAeuINyFCOypNg/RhBIi9WyicicHVFjpskVizli+Qaom90h
L1g7MbMhqGL6jUGp81+L4ZJDlQXeJSDu9/KPg1FdiJdK/fe0kQoFFU7ENAjUpclt
7tYtlSQ6idVESZOzPk1Fu7/YCMtiWKNBPnF13fic4rF9Rg/wnX/Ct2Ji/WUSiQ/2
9gZX+YHPm3qm4DFn2fJV6gFKurWyClIai0AX1/+C4rpUJvWi2U/CElAcy4YNm7Vv
ON34sdFIMmfwLksKvA5AuNXFLefc7x/5PaBsDF26syv+NkVcyMjoiQ2T9QtoAQ==
-----END CERTIFICATE-----

and my test CA

-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUSpuabxnXu19oLF0fLKu17PNAtqEwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
DTE4MDQyMDA2NDMwMFoXDTIzMDQxOTA2NDMwMFowWTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1
IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA5B7v5d/xsEWcmLfhtHDZAE8vAn3qmiEMLT5lFSdxzCg6h0JkqeDF
iv50OGW00h2almjgEDMW+ldmjW+bSlWz5kpqdmzTXLnmw6/UN4Da+8odsw0abplS
6DNz/xjWcdw4YiLFY167AmtDUNXaJ/jTBAgWGYJy/rl2u1vpi1CWiJozpR/g/Jsb
bAxPXG54ZZi2yUbCVh12DmjAqBfU3LFCvvOQHYyjCon76sLnXifrWSjb8EOVJZc8
Vw3IdRq0vf74Q62RgQXNAd1G5hme7kl/RdrrWqxlxCK8XXU2RSVnAX5baVxY/HC0
lvXKsfFbJec+DkTAaZLZN4KJLfkvoylLXQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZMweOHhEJSxmmNQsG7ol
UTP3D4owHwYDVR0jBBgwFoAUZMweOHhEJSxmmNQsG7olUTP3D4owDQYJKoZIhvcN
AQELBQADggEBAN0914undNu7bLOk+wVOTvfkL14jAoRCmv/rQBwvJoWNuU7d7TKk
D0SZ/GME8kNg9RIAY/POCTiISrORIkoMwt4eLv0bDejualvJ7MwqOvgdFby6BuGg
5dVioFfcwQA/i4L0smHX8QY+w8+RlD7DZnHKcx/C7sPHCkrqmLYLDQSalvv8KgwF
mBB/SBS/yACKpaJPCC3Vlj7aPt5aS6GmH25LpAeDM7LLrDHLj+osLbhkGou0ifYy
8RelfbJlI37NjVMJRWF1EsuSG0xYJPFg9/nqM6UPUHxLx+MmSJ6ibBj6MF6cYkKQ
5Okq/kt3E65/mPltGVmGYPFzwfqLIJFx13E=
-----END CERTIFICATE-----