Forum Discussion

Stanley_87566's avatar
Stanley_87566
Icon for Nimbostratus rankNimbostratus
Sep 06, 2012

iRule for certificate injection into the HTTP header

I tried below iRule according to McAfee KB for their MDM solution. But it seems not work, is there any sample on the VS, Pool config.? How to configure the F5 "request a certificate"? Is it only assign the SSL Server profile?

 

https://kc.mcafee.com/corporate/ind...dadf007eb4

 

 

  • This is an example which you might need to modify to work correctly in your environment.
  • You must also configure the F5 Appliance to Request a Certificate from the connecting devices:
  • Lines beginning with a contain comments that will help you to configure irule.

Client has already established an SSL connection with the load balancer

 

This event is triggered when an http request is detected

 

when HTTP_REQUEST {

 

check if the uri starts with /Trust

 

if { [] starts_with "/Trust" } {

 

if it does, check if the client offered a certificate by the cert count.

 

if { [SSL::cert count] <= 0 } {

 

if there is no client certificate hold the HTTP request till the SSL re-negotiation is done. Note the cert request.

 

 

SSL::session invalidate

 

SSL::authenticate always

 

SSL::authenticate depth 9

 

SSL::cert mode request

 

SSL::renegotiate

 

} else {

 

else set variable c_cert with the client side certificate

 

set c_cert [SSL::cert 0]

 

}

 

}

 

}

 

This event is triggered when the load balancer sees a certificate message from the client

 

when CLIENTSSL_CLIENTCERT {

 

release any stored data just in case

 

 

if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client

 

if { [SSL::cert count] < 1 } {

 

reject

 

} else {

 

otherwise set variable c_cert with the client side certificate. 0 is the first cert, 1 the second, etc.

 

set c_cert [SSL::cert 0]

 

}

 

}

 

 

This event is triggered when sending data to the server

 

when HTTP_REQUEST_SEND {

 

evaluate the if statement under client-side context

 

clientside {

 

if there is a client side cert base64 encode it and inject it in the header

 

if { [info exists c_cert] } {

 

insert X-Client-Cert [b64encode $c_cert]

 

} else {

 

}

 

}

 

}

 

  • At a minimum you need a client SSL profile applied to the VIP with the following characteristics:

    Certificate - the server SSL certificate

    Key - the server SSL key

    Client Authentication Client Certificate - set to ignore

    Client Authentication Trusted Certificate Authorities - set to the CA certificate (or chain) that can validate the client's certificate

    Client Authentication Advertised Certificate Authorities - set to the CA certificate (or chain) to customize the browser's certificate choices

    The above iRule could be simplified greatly if you just set the client SSL profile's Client Authentication Client Certificate to Request or Require. The profile now controls the request of client certificate and your iRule can look like this:

    
    when HTTP_REQUEST {
    HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
    }
    

  • Thx Kevin,

     

     

    But there's 3 SSL certificates need to be installed to the MDM solution, 1 EV-SSL certificate with its intermediate CA has already assign to the virtual server with client ssl profile and sync with the MDM server. Also, Android devices are working fine. The problem only happend on iPhone & iPad and it should be happened on the Apple MDM certificate and push certificate, since McAfee cliam that these 2 certificates are not necessary install to F5 or assign to the Virtual server.
  • I should mention that the most significant difference between your iRule and mine, aside from size, is that your iRule triggers an SSL re-negotiation to get the client certificate if the user attempts to access /Trust. If that's what you need then your iRule should work just fine and you'd want to set the Client Authentication to "ignore" in the client SSL profile.

     

     

    Are you asking how to request all three, or some specific certificate from the devices? An SSL re/negotiation is only going to be able to request a single certificate. Which certificate you request depends entirely on the client application and the trusted certificate authorities and advertized certificate authorities properties of the client SSL profile.