Forum Discussion
icherif_189553
Nimbostratus
Nimbostratus[F5 LTM 11.4.1 HF9][2-Way-auth] CLIENTSSL_CLIENTCERT is not triggered in the Irule
Hello all, I am trying to implement an Irule to filter CN names. below the irule :
when RULE_INIT {
set static::org "O=OPS"
log local0.alert "RULE_INIT"
}
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log local0.alert "Client Certificate Received: $subject_dn"
Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains cn_allowed]) and ($subject_dn contains $static::org) } {
Accept the client cert
log local0.alert "Client Certificate Accepted: $subject_dn"
} else {
log local0.alert "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
The "cn_allowed" contains the list of allowed CNs. When I make a new connection with the browser (after sending the client certificate), I am not getting any log in /var/log/ltm related to the CLIENTSSL_CLIENTCERT section (only the rule init is shown).
Kindly help me to resolve this problem. Thanks in advance.
icherif_189553I have also some errors in /var/log/ltm: Mar 15 10:52:53 PRI001 debug tmm1[11489]: 01260009:7: Connection error: ssl_shim_vfycerterr:3166: application verification failure (42) Mar 15 10:52:53 PRI001 info tmm1[11489]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.52:59419 to 172.172.172.170:82 Mar 15 10:53:49 PRI001 debug tmm1[11489]: 01260009:7: Connection error: ssl_shim_vfycerterr:3166: application verification failure (42) Mar 15 10:53:49 PRI001 info tmm1[11489]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.52:59455 to 172.172.172.170:82
nag_54823Cirrostratus
Hi icherif, You need to enable "peer cert mode request" in clientssl profile.- nag_54823
Hi icherif, You need to enable "peer cert mode request" in clientssl profile
- icherif_189553
Hi Raj, Here is the "Client Authentication" Config. I think you are speaking about the first field "Client Certificate".
- nag_54823yes. still facing issues ? can u share you vip config too
- icherif_189553
Hi Raj, Yes auth client (require) was already configured in the client ssl profile
Below My VS Config
- Kevin_Davies_40
Nacreous
I have recently dealt with this issue. What you are dealing with is SSL abbreviated handshake. After the client cert is validated, future connections can present the SSL session id to say they belong to an existing session and this uses an abbreviated handshake which no longer requires client to be validated again.
This means CLIENTSSL_CLIENTCERT will only be triggered on the initial connection and subsequent connections will not trigger the event. You can be secure in the fact they are still the same client.
Note: This causes problems when you need to include information from the SSL negotiation in future HTTP requests. Future connections will not have access to the information in the original connection as they do not share variable scope. In this case you need to store shared info in session tables using the SSL session id as the key. Then in HTTP you can retrieve it from the table as the session id will still be associated with subsequent connection and can be retrieved using [SSL::sessionid].