Inserting SSL client certificate into the header of the HTTP session

Jeff,

 

 

You would also need to configure/modify the app to read the custom HTTP headers which LTM inserts.

 

 

Aaron

Hello

 

 

I'm new to iRules and HTTPS and this link has been very helpful so far.

 

 

I too want to add the certificate's data to the HTTP header and send it to the backend server. But can anyone please tell me - when using "HTTP::header insert" calls, what will be the actual output header I would expect?

 

 

For example, for the following inserts:

 

HTTP::header insert SSLClientCertStatus $ssl_errstr2

 

HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]

 

HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2]

 

 

what is the HTTP header going to look like?

 

 

And also - what other SSL attributes can I insert to the HTTP header? (and what are they going to look like in the actual HTTP header?).

 

 

Thanks.

 

 

Tom

Sure thing. Those would all be in the iRules wiki: Click here. More specifically in the SSL section: Click here or the X509 section: Click here

 

 

Colin

Hi All

 

i want authenticate Clients with their certificate and SSL offload on bigip

 

i created two profile on bigip ; Client and Server SSL

 

Client SSL profile; i setted certificate, keys, Chain, Trusted Certificate Auth And Client Authentication Section enabled require or request

 

Server SSL profile; i setted certificate, keys, Chain, Trusted Certificate Auth And Server Authentication (ingore and require)

 

 

but it does not work

 

 

i found the irule for inserting client cert into the header but still i have problem

 

do i need configure on IIS site?

 

could you please help me about this issue

 

 

regards

 

zafer

Hi zafer,

 

 

Can you create a new post which details what your current VIP, client SSL and pool configurations are, what the client sees when trying to connect to the virtual server and ideally analysis of tcpdumps of a failure? If you need help capturing or analyzing the tcpdumps, you can check these solutions:

 

 

SOL411: Overview of packet tracing with the tcpdump utility

 

https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html

 

 

SOL1893: Packet trace analysis

 

https://support.f5.com/kb/en-us/solutions/public/1000/800/sol1893.html

 

 

To list the VIP, client SSL profile and pool config, you can use 'b virtual VIP_NAME list', ' b profile clientssl CLIENTSSL_PROFILE_NAME list all' and 'b pool POOL_NAME list'.

 

 

Can you also clarify whether the IIS server requires a client certificate?

 

 

Aaron

Greetings everyone,

 

 

Im trying to implement SSL with client certificate authetication. I have already generated key and secured a test certificate from verisign. Installed the test root certificate from verisign on my test browser, Installed and bundled test certificate, intermediate certificate and root certificate from verisign to bigip. Configured the nodes, pool to port 80 and virtual server to port 443, client profile and iRule set NAT and port translate enabled. Also part of the virtual server configuration is enabling the SSL Client profile set to use the chain and trusted CA, client authentication set to required always.

 

 

When a browsing check from my client passing through bigip, at first without intermediate and server certificate, the browser would ask me to download and trust the Certificate presented by bigip, which I comply and so I am able to view the page. The problem is it seems that the client after the first session still doesn't have the matching certificate after installing the certifiacte from bigip. Checking the clients certificate store the chain is already there. So to further check the session, I used this iRule:

 

 

when CLIENTSSL_HANDSHAKE {

 

log local0. "Trigger 1"

 

set cur [SSL::sessionid]

 

log local0. $cur

 

set ask [session lookup ssl $cur]

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

if { $ssl_cert eq "" } {

 

set ssl_stuff [list "No Certificate" $ssl_errstr]

 

} else {

 

set ssl_stuff [list $ssl_cert $ssl_errstr]

 

}

 

Log value of ssl_stuff

 

log local0. $ssl_stuff

 

session add ssl [SSL::sessionid] $ssl_stuff

 

Create a log for debug

 

log local0. "session add ssl [SSL::sessionid] $ssl_stuff"

 

}

 

 

when HTTP_REQUEST {

 

Add information to header request

 

log local0. "Trigger 2"

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

log local0. $ssl_errstr2

 

if { $ssl_errstr2 eq "ok"} {

 

HTTP::header insert $ssl_stuff2

 

log local0. "[HTTP::header names]"

 

}

 

}

 

 

The logs are:

 

 

Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : Trigger 1

 

Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : 0000000000000000000000000000000000000000000000000000000000000000

 

Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : {No Certificate} ok

 

Oct 28 14:35:57 tmm tmm[1914]: Rule _header_insert : session add ssl 0000000000000000000000000000000000000000000000000000000000000000 {No Certificate} ok

 

Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : Trigger 2

 

Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : ok

 

Oct 28 14:35:58 tmm tmm[1914]: Rule _header_insert : Accept Accept-Language Accept-Encoding User-Agent Host Connection Cache-Control No Certificate

 

 

I wan't to use CLIENTSSL_CLIENTCERT event but it seems this event is not triggered at all when I'm using SSL profile client authentication Request. Later I we would like to create another SSL profile this time client authentication required. I'm using BIG-IP 9.4.8 Build 355.0 Final. We're planning to purchase another set of bigip machines this time 8900 for SSL accelerators but we're still undecided because of this problems.

 

 

Hope somebody could help.

 

Thanks.