Forum Discussion

icherif_189553's avatar
icherif_189553
Icon for Nimbostratus rankNimbostratus
Mar 14, 2016

[F5 LTM 11.4.1 HF9][2-Way-auth] CLIENTSSL_CLIENTCERT is not triggered in the Irule

Hello all, I am trying to implement an Irule to filter CN names. below the irule :

when RULE_INIT {
   set static::org "O=OPS"
    log local0.alert "RULE_INIT"
}

when CLIENTSSL_CLIENTCERT {

    Check if client provided a cert
   if {[SSL::cert 0] eq ""}{

       Reset the connection
      reject

   } else {
      Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log local0.alert "Client Certificate Received: $subject_dn"
      Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains cn_allowed]) and ($subject_dn contains $static::org) } {
         Accept the client cert
         log local0.alert "Client Certificate Accepted: $subject_dn"
      } else {
         log local0.alert "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }
   }
}

The "cn_allowed" contains the list of allowed CNs. When I make a new connection with the browser (after sending the client certificate), I am not getting any log in /var/log/ltm related to the CLIENTSSL_CLIENTCERT section (only the rule init is shown).

Kindly help me to resolve this problem. Thanks in advance.

application delivery
clientssl_clientcert
irule
iRules
LTM
ssl
tls

7 Replies

Sort By
  • icherif_189553's avatar
    icherif_189553
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2016
    I have also some errors in /var/log/ltm: Mar 15 10:52:53 PRI001 debug tmm1[11489]: 01260009:7: Connection error: ssl_shim_vfycerterr:3166: application verification failure (42) Mar 15 10:52:53 PRI001 info tmm1[11489]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.52:59419 to 172.172.172.170:82 Mar 15 10:53:49 PRI001 debug tmm1[11489]: 01260009:7: Connection error: ssl_shim_vfycerterr:3166: application verification failure (42) Mar 15 10:53:49 PRI001 info tmm1[11489]: 01260013:6: SSL Handshake failed for TCP from 10.10.10.52:59455 to 172.172.172.170:82
  • nag_54823's avatar
    nag_54823
    Icon for Cirrostratus rankCirrostratus
    Mar 15, 2016
    Hi icherif, You need to enable "peer cert mode request" in clientssl profile.
  • nag_54823's avatar
    nag_54823
    Icon for Cirrostratus rankCirrostratus
    Mar 15, 2016

    Hi icherif, You need to enable "peer cert mode request" in clientssl profile

     

  • icherif_189553's avatar
    icherif_189553
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2016

    Hi Raj, Here is the "Client Authentication" Config. I think you are speaking about the first field "Client Certificate".

     

     

    • nag_54823's avatar
      nag_54823
      Icon for Cirrostratus rankCirrostratus
      Mar 15, 2016
      yes. still facing issues ? can u share you vip config too
  • icherif_189553's avatar
    icherif_189553
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2016

    Hi Raj, Yes auth client (require) was already configured in the client ssl profile

     

    Below My VS Config

     

     

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Jun 22, 2016

    I have recently dealt with this issue. What you are dealing with is SSL abbreviated handshake. After the client cert is validated, future connections can present the SSL session id to say they belong to an existing session and this uses an abbreviated handshake which no longer requires client to be validated again.

     

    This means CLIENTSSL_CLIENTCERT will only be triggered on the initial connection and subsequent connections will not trigger the event. You can be secure in the fact they are still the same client.

     

    Note: This causes problems when you need to include information from the SSL negotiation in future HTTP requests. Future connections will not have access to the information in the original connection as they do not share variable scope. In this case you need to store shared info in session tables using the SSL session id as the key. Then in HTTP you can retrieve it from the table as the session id will still be associated with subsequent connection and can be retrieved using [SSL::sessionid].