Forum Discussion
Karthik_Kumaran
Nimbostratus
NimbostratusInsert Common Name Value to HTTP Header
We have a Virtual server that listens on 443, offloads-ssl and forwards connection to the server on 80. We want to insert the SSL certificate's Common-name in the http header, when the LTM send the connection to the backend servers on 80. so the backend servers is aware of the Common-name in the ssl transaction between the client and the LTM. Is there any options available in http profile or ssl profile for this, or can this be done using an iRule.
This is available in Cisco ACE as using "ssl header-insert client-cert Subject-CN" command in an action-list. Trying to identify how this can be done in LTM.
Michael_JenkinsCirrostratus
I'm not where I can test it, but do these links help give you an idea on how to accomplish? Validate cert cn and the SSL::cert wiki page.
Then you could use the command
to insert a header into the request.HTTP::header insert name "SOMETHING" "VALUE"Hi Karthik,
inserting this information requires a client-ssl profile (providing a server certificate to the client and requesting a client certificate by the server. The header insert also requires a http-profile. You can use an iRule to insert the header. Please adjust the header name according to your needs.when CLIENTSSL_CLIENTCERT { if {[SSL::cert 0] ne ""} { set ssl_clientcert_subject [X509::subject [SSL::cert 0]] set ssl_clientcert_subject_cn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] set ssl_clientcert_issuer [X509::issuer [SSL::cert 0]] set ssl_clientcert_issuer_cn [findstr [X509::issuer [SSL::cert 0]] "CN=" 3 ","] } } when HTTP_REQUEST { if {[info exists ssl_clientcert_subject_cn]} { HTTP::header insert ClientCertSubjectCn "$ssl_clientcert_subject_cn" } }Please note other interesting variables in this context:
HTTP::header replace "BIGIP_SSL_CIPHER_NAME" "[SSL::cipher name]" HTTP::header replace "BIGIP_SSL_CIPHER_BITS" "[SSL::cipher bits]" HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]" HTTP::header replace "BIGIP_SSL_SESSIONID" "[SSL::sessionid]"I´m currently not sure about using white spaces in a header value (as it might be the case if the CN contains whitespace characters) and if it would be required to encode them.
Thanks, Stephan
Karthik_Kumaranthanks for the responses Mike and Steve.
Steve, in your iRule, the "when CLIENTSSL_CLIENTCERT" condition, does it make the header changes required during the LTM-to-backendPoolServer communication? In my case Client hits Virtual Server on 443, LTM does ssl-offload and transfers connection to backendPoolServer on 80. I want the CN insertion in the header while the LTM sends connection to backendPoolServer on 80.
- Hi Karthik, yes, that´s exactly the expected behavior. In context of CLIENTSSL_CLIENTCERT the CN will be retrieved from the certificate send by the client and be stored in a variable. After the client has send an http request over the established connection the HTTP_REQUEST event will be fired and the header named "ClientCertSubjectCn" will be inserted with the value of the CN. Feel free to give another name to the header. I just picked this name as I do not know exactly the header name the ACE will use. After looking up the Cisco doc it looks like the header name is "ClientCert-Subject-CN". That´s why the relevant line would be changed into: HTTP::header insert ClientCert-Subject-CN "$ssl_clientcert_subject_cn" Thanks, Stephan PS: For testing proper client auth configuration in your client-ssl profile you may want to use the posted iRule (2nd one for SSL) in the following thread: https://devcentral.f5.com/questions/irule-to-emulate-web-server-in-lab-environment-plaintext-version-nossl
- Karthik_Kumaran
Thanks Steve.
