OCSP HTTP Header Specification/Example or field name of EDIPI?

Question

Our application identifies users by the EDIPI passed in header. I'm coding this without having access at the moment so im relying heavily on documentation instead of trial and error; I can't find documentation.

From what I understand, the cert information will just be available to me in the header, and I can trust it. So I should just grab their EDIPI and check my user tables to see who is associated with that EDIP then I mark them as logged in. (Side question, do I need to check their revoked status? Does a revoked cert still get forwarded to our application or are they redirected by F5?)

I'm using PHP to check the headers. I already know how to get the header information and grab values from it. What I don't know is what the EDIPI key/index is. I can't find documentation or examples of the headers.

I've have however found the GCDS documentation and an example dump of the headers. In that case of GCDS, the EDIPI key is 'cert-edipi'. Is that a standard naming convention that would be the same for F5?

If anyone can point me to an example of an HTTP header, or better-yet the documentation of the fields and their definitions that would be super helpful. If lieu of that, what's the name of the EDIPI field in the HTTP header?

maudigan · Accepted Answer

Lucas, thanks for the detailed response. Your assumptions are correct. I had seen that post you linked when I was searching and had dismissed it as unrelated to what I was looking for for. I had been lead to believe that the process you just described was sort of automatic, that simply by being in the F5 and using HTTPS that the x509 info would automatically be inserted into the HTTP request header and forwarded to the server.

I thought I was just missing the finer details, but I apparently really am missing the overarching architecture of how this will work! I think the important take away from your code is that I can name the EDIPI whatever I want in the request header. That's enough to let me start writing my PHP. So thanks!

I think I followed your code fine, but am entirely unfamiliar with the syntax/language. Am I right to assume that my server admins will have access to an F5 console where I'd have to get them to setup rules for how we want our connections to be managed, and the script your provided is an example of one of those handling rules?

lucas_thompson · Answer

I'm assuming that:
1- The F5 is performing the SSL negotitation with the client's CAC
2- You want to transform the ID in the X509 to a HTTP header and pass it along to the backend server which can read it
&nbsp;
So you need to capture the X509 information. There is some information about that here:
https://community.f5.com/t5/technical-forum/forwarding-of-x509-http-header-to-application-after-termination/td-p/100895
Then you need to add that header into the transaction using the HTTP::header&nbsp;commmand at either the&nbsp;HTTP_REQUEST or HTTP_REQUEST_RELEASE&nbsp;event. I prefer the latter because it always happens right before we send the request to the backend server.
So a complete irule might look something like this. I used "x-edipi" (custom headers are usually supposed to start with "x-", but that's not a hard rule) for an example, but you'll have to figure out what header the server wants. The F5 doesn't care. A simple test of the header should prevent users from inserting their own header maliciously.
when CLIENTSSL_HANDSHAKE {
  set subj [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
  set EDIPI [string range $subj [expr [string last "." $subj] +1] end]
  log local0. "CAC Auth: Got EDIPI '$EDIPI'"
}

when HTTP_REQUEST_RELEASE {
  if { [HTTP::header exists "x-edipi"] } {
    log local0. "CAC Auth: [IP::client_addr] tried to tell us they were [HTTP::header value x-edipi ]! Drop connection."
    reject
  }
  
  if { [info exists EDIPI] } {
    log local0. "CAC Auth: [IP::client_addr] Inserting $EDIPI"
    HTTP::header replace "x-edipi" $EDIPI
  } else {
    log local0. "EDIPI data not found"
  }
}
As for the client-ssl attached to the virtual, make sure you set the user-auth to "require" (we drop connection if you don't pass the CAC auth) and your allowed-CAs to the proper ones for your CACs.

maudigan · Answer

Thanks very much, you[ve got me in the right track now.

Forum Discussion

OCSP HTTP Header Specification/Example or field name of EDIPI?

4 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Example of Static Variables with Virtual Server specific settings

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header

Security headers

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

Revocation Status in HTTP Request Header