For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swarnim_131291's avatar
swarnim_131291
Icon for Nimbostratus rankNimbostratus
Aug 08, 2013

Modifying HTTP header on the basis of SSL certificate

Hello,   So this is what my use case looks like. I am building a service to which users can upload their files via cURL. The service is load balanced by F5. In order to authenticate themselves, us...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 08, 2013
1. This depends on what you mean by validation. The client SSL profile is going to provide some preliminary validation (trust chain, expiration, etc.), but anything beyond that (OCSP, CRLDP) is going to require the Access Policy Manager (APM) module. You can, however, insert a static CRL into the client SSL profile for local revocation checking.

2. Take a look at the X509:: wiki page (https://devcentral.f5.com/wiki/iRules.X509.ashx). Once you've terminated SSL and received the client certificate, the X509 values of that certificate will be available via a set of X509:: commands. You can them simply insert those values into HTTP headers.

*Crude* example: 


when HTTP_REQUEST {
    if { [SSL::cert count] > 0 } {
        HTTP::header insert CERTSUBJECT [X509::subject [SSL::cert 0]]
    }
}