Forum Discussion
NimbostratusLooking for an Irule to enforce ssl client authentication and then pass ssl certificate details to the backend server
Hi I used the below irlue: when CLIENTSSL_CLIENTCERT { log local0. "start CLIENTSSL_CLIENTCERT" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] log local0. "end CLIENTSSL_CLIENTCERT" }
when HTTP_REQUEST { log local0. "start HTTP_REQUEST, uri is [HTTP::uri]" if { [HTTP::uri] eq "/server.htm" } { log local0. "/server.htm detected!" if { [SSL::cert count] == 0} { log local0. "no certificate found... force SSL" SSL::cert mode require SSL::renegotiate log local0. "end HTTP_REQUEST" } } else { log local0. "certificate found!" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] HTTP::header insert CLIENTSSL_Status [SSL::verify_result] HTTP::header insert CLIENTSSL_StatusString [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert CLIENTSSL_CN $pkiSubject HTTP::header insert CLIENTSSL_SSLIssuer $pkiIssuer HTTP::header insert CLIENTSSL_SSLClientCertSN [X509::serial_number $the_cert] HTTP::header insert CLIENTSSL_Cert [b64encode $the_cert] } }
I get request to provide certificate while requsting server.htm, but the header are not inserted on the get request forwarded to the server. I run tcpdump and get the below: ..P.......GET /server.htm HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US,he-IL;q=0.7,he;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 192.168.3.100 If-Modified-Since: Tue, 28 Oct 2014 21:19:37 GMT If-None-Match: "120851-14-50682345b18a4" Connection: Keep-Alive
I'm using LTM 11.4
how can I resolve the problem?
6 Replies
What_Lies_Bene1Cirrostratus
Do you see any log entries such as /server.htm detected etc?
- What_Lies_Bene1
I suspect you need to move some of your logic to the CLIENTSSL_CLIENTCERT event.
- What_Lies_Bene1
I'm hoping you can work it out from this example: https://devcentral.f5.com/questions/irule-for-certificate-injection-into-the-http-header
- What_Lies_Bene1
Apologies, we've gone from no spam filters to rather over the top ones here on DC it seems, so had to split it up.
Thomas_SchockaeHi Michael,
If you want to do Client Certificate Authentiation 'always' for a virtual server, you can modify the client-ssl profile you're using to achieve as much. The setting is called 'Client Certificate' and should be set to 'require'.
Make sure to also upload the chain for valid certificates and select it in the 'Trusted Certificate Authorities' and 'Advertised Certificate Authorities' picklists.
This way, you can simply use the following iRule to achieve your goal:
when HTTP_REQUEST { HTTP::header insert "SSL_CLIENT_CERT" [X509::whole [SSL::cert 0]] }This differs from your iRule in that it doesn't use the iRule to renegotiate the connection to make sure the client sends a certificate. If, however, you want to only request/require a client certificate for specific URLs, you're going to need something down the lines of your iRule , or you're going to need the APM module with the 'OnDemand Certificate Auth' buildingblock.
Kind regards,
Thomas
tnaumovs_375792This is not an answer but a comment: Just note that the solution using ‘insert’ contains a vulnerability where the cert header info can be manipulated. To correct use 'header replace'
Ex. HTTP::header replace SSLClientCertSN [lindex $session_data 2]
