For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Sep 06, 2016

irule to pass the client authentication certificate to pool member

Hi,

 

I am using client certificate authentication with require option in one of the SSL profile. To the VS i have applied regular SSL profile which would offload the SSL. If the traffic would come from a specific source then i have client certificate authentication profile which is applied using a speficic irule. Now, i want a help in developing an irule which would also pass the client authentication certificate to the pool member, any help would be greatly appreciated.

 

Regards

 

application delivery
BIG-IP
LTM

2 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 06, 2016

    Hi Nuruddin,

    to forward the X509v3 client certificate of a mutual SSL handshake you may use the iRule below as a starting point...

    when CLIENTSSL_HANDSHAKE {
    if { [SSL::cert count] > 0 } then {
        set x509cert [b64encode [SSL::cert 0]]
    } else {
        set x509cert ""
    }
}
when HTTP_REQUEST {
    HTTP::header remove "X-CLIENT-X509v3"
    if { $x509cert ne "" } then {
        HTTP::header insert "X-CLIENT-X509v3" $x509cert
    } else {
        HTTP::header insert "X-CLIENT-X509v3" "None"
    }
}

    Cheers, Kai

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 06, 2016

    Okay, so in a mutually authenticated SSL handshake, the client will send his certificate first, and then in a separate "certificate verify" message, send a piece of data that is digitally signed (encrypted with his private key). The server authenticates the client by first validating his certificate and then by validating the digital signature, whereby the server uses the client's public key to decrypt the message inside the digitally signed certificate verify message.

     

    With that in mind, if a proxy decrypts that traffic, it CANNOT pass the client's certificate to the server side in a server side SSL handshake. And specifically, it cannot do that because it would not have access to the client's private key in order to generate the appropriate digital signature.

     

    Once you've decrypted the traffic at the proxy, you have access to the certificate itself, and the x509 data within, which you can pass to the backend pool member as an HTTP header, or in some other supported form. But it cannot be in the server side SSL handshake.

     

    F5's Access Policy Manager (APM) is great at handling this scenario because it can also convert that client side certificate auth to server side Kerberos auth, or other supported forms.