Forum Discussion

Jason_Witt_4207's avatar
Jason_Witt_4207
Historic F5 Account
Oct 24, 2005

iRule to require SSL Client Certs for a URI

Working on developing a Rule based on the SSL Client Cert for URI in Docs and Tips. We first tried the rule verbatim with the exception of changing the URI to match what they wanted to protect. This works fine for the non protected URIs but the protected URI just hangs.

 

 

rule stock_ssl_req {

 

when CLIENT_ACCEPTED {

 

set needcert 0

 

set gotcert 0

 

}

 

 

when HTTP_REQUEST {

 

if { $gotcert == 0 and [HTTP::uri] starts_with "/sas/controller" } {

 

log LOCAL0.warn "Requiring certificate..."

 

HTTP::collect

 

SSL::cert mode require

 

SSL::renegotiate

 

set needcert 1

 

}

 

else {

 

log LOCAL0.warn "No cert needed."

 

}

 

}

 

 

when CLIENTSSL_HANDSHAKE {

 

log LOCAL0.warn "cert count=[SSL::cert count] result=[SSL::verify_result]"

 

if { [SSL::cert count] == 0 or [SSL::verify_result] != 0 } {

 

log LOCAL0.warn "Bad cert!"

 

if { $needcert == 1 } {

 

reject

 

}

 

}

 

else {

 

log LOCAL0.warn "Good cert! ($needcert)"

 

set gotcert 1

 

if { $needcert == 1 } {

 

HTTP::release

 

}

 

}

 

}

 

}

 

 

This is on version 9.2. Haven't tried it on any previous versions yet, but given 9.2 is require for use of the ASM as well, it doesn't matter on any other version.
application delivery
dev
devops
iRules
  • Jason_Witt_4207's avatar
    Jason_Witt_4207
    Historic F5 Account
    Oct 25, 2005
    I tried a bit more on this rule and I get varying results depending on which peer cert mode I start with in the clientssl profile.

     

     

    For example if I start with ignore. Setting SSL::cert mode request and then forcing a renegotiation does not cause a prompt for a cert.

     

     

    If I start with request, then all requests get prompted for SSL certs as expect, though the desired result is for only a specific URI path to request certs even.

     

     

    One question I have is, Does the setting of auto for peer cert mode mean to ignore client certs unless I explictly turn them on in an iRule? The docs are a little unclear there.
  • James_Yang_9981's avatar
    James_Yang_9981
    Icon for Altostratus rankAltostratus
    May 27, 2006
    it seems that this post have leaved here about half year. is there any result of this issue? I also meet a customer that require this feature.

     

  • James_Yang_9981's avatar
    James_Yang_9981
    Icon for Altostratus rankAltostratus
    May 28, 2006
    I have tested this rule. it seems that start with profile cert ignore, then changing the cert mode to require, client will prompt for a certificate. but after apply the certificate. the connection will be rejected.

     

     

    after do a tcpdump of the ssl connection. it seems that client will setup a new TCP connection to VS after renegotiation, that cause the rules can't process in same session. so the connection breaks.

     

     

    how can we keep SSL::renegotiation in same connection?
  • James_Yang_9981's avatar
    James_Yang_9981
    Icon for Altostratus rankAltostratus
    May 28, 2006
    At Last, I got the rules below that can working.

    
when CLIENTSSL_HANDSHAKE {
  log LOCAL0.warn "cert count=[SSL::cert count]"
  if { [SSL::cert count] ==0 } {
    log LOCAL0.warn "when client handshake,ssl cert count is 0,pass"
  }
  else {
    log LOCAL0.warn "when clent handshake , two way cert founded and the cert count is [SSL::cert count] "
    HTTP::release
  }
}
when HTTP_REQUEST {
  if {[HTTP::uri] starts_with "/manual/" } {
    log "Requiring certificate...and tht request uri is :[HTTP::uri]"
    if {[SSL::cert count] == 0} {
        log local0. "when http request,ssl cert count is 0,now http collect"
HTTP::collect
    SSL::authenticate always
    SSL::authenticate depth 9
    SSL::cert mode require
    log local0. "when http request,now renegotiating"
        SSL::renegotiate
    }
  }
  else {
    log LOCAL0.warn "No cert needed,to server directly.And the uri is [HTTP::uri]"
  }
}

    You can start it from Client_ssl profile with cert mode ignore. then when user access /manual/, he will prompt a window to apply certificate.

    for certificate advertise and CRL, it can only edit bigip.conf file manually. And remember never modify any thing from the GUI with the client ssl profile again........

    In my environment, It can works on BIGIP v9.1.2, but can't runing on beta BIGIP 9.4.0. so disapointing.......

    Any one can help!!!!
  • Steve_Brockman_'s avatar
    Steve_Brockman_
    Icon for Nimbostratus rankNimbostratus
    Jul 12, 2008
    Hi,

     

    I tried this iRule just now and it partially worked. My dilemma is that I need the "advertised certificate authorities" set as well when I require certificates. Otherwise, I need "ignore" (which is the default in the profile, and the "cert ca" value gets blanked out)

     

     

    I saw another post on how to do this, and it appeared that SSL::cert commands do not support this yet. Does anyone know if this feature has been added yet?

     

     

    Thanks,

     

    Steve
  • Garrett_Skjelst's avatar
    Garrett_Skjelst
    Icon for Nimbostratus rankNimbostratus
    Apr 20, 2009
    This is actually something that looks very interesting, and I'm curious to know why people were having a difficult time running thi on 9.4.x? (I'll get to try with 10.x and 9.4.x)

     

     

    Has anyone made any other progress with getting Specific URIs to require Specific Client certificates? If so, I'd love to follow more threads about this.

     

     

     

    -G