For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Karthik_Kumaran's avatar
Karthik_Kumaran
Icon for Nimbostratus rankNimbostratus
Mar 20, 2015

Insert Common Name Value to HTTP Header

We have a Virtual server that listens on 443, offloads-ssl and forwards connection to the server on 80. We want to insert the SSL certificate's Common-name in the http header, when the LTM send the ...
application delivery
deployment
devops
iRules
LTM
StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Mar 21, 2015

Hi Karthik,

inserting this information requires a client-ssl profile (providing a server certificate to the client and requesting a client certificate by the server.

The header insert also requires a http-profile.

You can use an iRule to insert the header. Please adjust the header name according to your needs. 
when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert 0] ne ""} {
         set ssl_clientcert_subject [X509::subject [SSL::cert 0]]
        set ssl_clientcert_subject_cn [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
         set ssl_clientcert_issuer [X509::issuer [SSL::cert 0]]
         set ssl_clientcert_issuer_cn [findstr [X509::issuer [SSL::cert 0]] "CN=" 3 ","]
    }
}
when HTTP_REQUEST {
    if {[info exists ssl_clientcert_subject_cn]} {
        HTTP::header insert ClientCertSubjectCn "$ssl_clientcert_subject_cn"
    }
}

Please note other interesting variables in this context: 

HTTP::header replace "BIGIP_SSL_CIPHER_NAME" "[SSL::cipher name]"
HTTP::header replace "BIGIP_SSL_CIPHER_BITS" "[SSL::cipher bits]"
HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
HTTP::header replace "BIGIP_SSL_SESSIONID" "[SSL::sessionid]"

I´m currently not sure about using white spaces in a header value (as it might be the case if the CN contains whitespace characters) and if it would be required to encode them.

Thanks, Stephan