how to specify a ca_bundle in an irule

Question

We're doing client cert handling in an irule similar to this one: 
&nbsp; http://devcentral.f5.com/Wiki/default.aspx/iRules/RequestClientCertificateAndPassToApplication.html  
&nbsp;  
&nbsp; How can we specify a custom ca bundle for the client cert request? 
&nbsp;  
&nbsp; -Stephen

hoolio · Answer

Hi Stephen, 
&nbsp;  
&nbsp; I think there are two relevant configuration options for the client cert CA bundle.  The first is the trusted CA bundle.  This is what the client cert is actually validated against.  You can get the results of this validation using SSL::verify_result (Click here).   
&nbsp;  
&nbsp; The other option is the advertised CA cert.  This is what LTM sends to the client in order for the client to select a corresponding client cert. 
&nbsp;  
&nbsp; If you're selectively requesting a client cert based on the URI, the client SSL profile client cert option should be set to ignore.  However, when you do this, the GUI removes the option for specifying the advertised CA cert.  Unfortunately, there isn't an option to specify this in an iRule when renegotiating the SSL handshake to request a client cert.   
&nbsp;  
&nbsp; So someone here previously posted a workaround.  You basically configure a parent client SSL profile with the cert mode set to request or require.  You configure the advertised client cert in that profile.  You can then create a child client SSL profile based on the new parent profile.  In that profile, you set the cert mode to ignore and select the 'Trusted Certificate Authorities' to the same client cert CA bundle that you specified in the parent profile for 'Advertised Certificate Authorities'.  It's a little complicated to explain but simple to configure.   
&nbsp;  
&nbsp; Here is an example as shown in the bigip.conf: 
&nbsp;  
&nbsp; -- Parent profile with the Advertised Certificate Authorities configured: 
&nbsp;  
&nbsp;  b profile clientssl clientssl_parent_request_cert list 
&nbsp; profile clientssl clientssl_parent_request_cert { 
&nbsp;    defaults from clientssl 
&nbsp;    client cert ca "my_client_cert_ca_bundle.crt" 
&nbsp;    peer cert mode request 
&nbsp; } 
&nbsp;  
&nbsp; -- Child profile using the parent for details with the Trusted Certificate Authorities configured: 
&nbsp; -- (note that you don't see the Advertised Certificate Authorities option becuase it's not set in this profile--just the parent profile) 
&nbsp;  
&nbsp;  b profile clientssl clientssl_client_ignore_cert list 
&nbsp; profile clientssl clientssl_client_ignore_cert { 
&nbsp;    defaults from clientssl_parent_request_cert 
&nbsp;    ca file "my_client_cert_ca_bundle.crt" 
&nbsp;    peer cert mode ignore 
&nbsp; } 
&nbsp;  
&nbsp; -- Listing of the full properties configured for the Child profile  
&nbsp; -- including those it inherits from the parent profile: 
&nbsp;  
&nbsp;  b profile clientssl clientssl_client_ignore_cert list all 
&nbsp; profile clientssl clientssl_client_ignore_cert { 
&nbsp;    defaults from clientssl_parent_request_cert 
&nbsp;    mode enable 
&nbsp;    key "default.key" 
&nbsp;    cert "default.crt" 
&nbsp;    chain none 
&nbsp;    ca file "my_client_cert_ca_bundle.crt" 
&nbsp;    crl file none 
&nbsp;    client cert ca "my_client_cert_ca_bundle.crt" 
&nbsp;    ciphers "DEFAULT" 
&nbsp;    passphrase none 
&nbsp;    options dont insert empty fragments 
&nbsp;    modssl methods disable 
&nbsp;    cache size 20000 
&nbsp;    cache timeout 3600 
&nbsp;    renegotiate period indefinite 
&nbsp;    renegotiate size indefinite 
&nbsp;    renegotiate max record delay 10 
&nbsp;    handshake timeout 60 
&nbsp;    alert timeout 60 
&nbsp;    peer cert mode ignore 
&nbsp;    authenticate once 
&nbsp;    authenticate depth 9 
&nbsp;    unclean shutdown enable 
&nbsp;    strict resume disable 
&nbsp;    nonssl disable 
&nbsp;    partition Common 
&nbsp; } 
&nbsp;  
&nbsp; One other thing: the iRule you reference doesn't add the cert details to the session table.  So it would not handle SSL session re-use over multiple TCP connections.  Here is an iRule which does do this: 
&nbsp;  
&nbsp; Insert Cert in Server Headers 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html 
&nbsp;  
&nbsp; Aaron

koen_dreelinck1 · Answer

Hello Stephen,  
&nbsp;    
&nbsp;  Like you, I was having the same problem for this obvious problem. Apparently, there is indeed no option in the GUI to configure this, which I find quite strange ...  
&nbsp;    
&nbsp;  However, I just came across this post: http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=4436   
&nbsp;    
&nbsp;  There it is stated to you can simply define this list using the CLI interface, which works ....  
&nbsp;    
&nbsp;  Nice one to end the year ...  
&nbsp;    
&nbsp;  regards  
&nbsp;    
&nbsp;  Koen  &nbsp;

hoolio · Answer

Hi Koen, 
&nbsp;  
&nbsp; The major issue with making the change via the CLI (which UnRuley explained) is that you cannot view the client SSL profile in the GUI afterwards or the change will be overwritten.  I think the workaround I reposted above is better in that it's not liable to break when someone views the configuration in the GUI. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

how to specify a ca_bundle in an irule

Recent Discussions

How to export a list of paired external service providers from APM?

Service discovery is not happening in AS3

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Can F5 be in Bridge Mode or a L2 DDOS to protect from L3-L4 DDOS attack

Related Content

iRules Style Guide

BIG-IP Next: iRules pool routing

Json parsing with iRules

Hey ChatGPT, can you write iRules?

Re: iRules Editor with Visual Studio Code

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS