For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alex_Moundalexi's avatar
Alex_Moundalexi
Icon for Nimbostratus rankNimbostratus
Mar 14, 2008

OCSP w/ requested client certifications.

When configuring a virtual server client certificates can be ignored, requested, or required.

 

 

Is there a way to determine what how a particular VS is configured to handle client certificates?

 

 

When an authorization profile is used that utilizes OCSP, a client certificate needs to be present. The default iRule handles things just fine if the certificate is required, but balks when a certificate isn't presented.

 

 

I was looking at PROFILE::clientssl but the syntax of the command isn't explained on the wiki at all. I know there's a mode setting (that returns 0 for SSL, 1 for non-SSL), but other than that I haven't found any reference to other parameters.
application delivery
dev
devops
iRules

4 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Mar 19, 2008
    Here's a great example in the codeshare that you may want to take a look at: Click here.

    It's a little advanced, but it does some things that you'll want to look through, like:

    
} elseif {([matchclass [TCP::local_port] equals $::vip_http_ports]) }{
       Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
      set vip_http_port 1
      if {$::debug}{log local0. "HTTP request from [IP::client_addr] to [IP::local_addr]:[TCP::local_port]"}
       Check to see if there is a client SSL profile and if so, disable it
      if { [PROFILE::exists clientssl] == 1} {
         if {$::debug}{log local0. "Client SSL profile enabled on VIP.  Disabling SSL"}
         set disable_cmd "SSL::disable"
         eval $disable_cmd
      } 
   }

    This still doesn't solve the issue of determining when you want the profile enabled/disabled, but at least it shows you how to turn it on/off.

    Colin
  • Alex_Moundalexi's avatar
    Alex_Moundalexi
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2008

    This still doesn't solve the issue of determining when you want the profile enabled/disabled, but at least it shows you how to turn it on/off.

     

     

     

    That's the thing, all of the VS are using SSL profiles. The only difference is what options are configured within the profile. I need to be able to determine whether client certificates are required or requested or ignored, somehow passing that information back to an iRule to make a decision.

     

     

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Mar 19, 2008
    And what piece of data in the client request would you use to make that determination? If you can't determine which profile to use before connecting to the server, then you have to use a default profile to connect, at which point it's too late to force a require or ignore.

     

     

    Colin
  • Alex_Moundalexi's avatar
    Alex_Moundalexi
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2008

    And what piece of data in the client request would you use to make that determination? If you can't determine which profile to use before connecting to the server, then you have to use a default profile to connect, at which point it's too late to force a require or ignore.

     

    Nothing in the client request. I'm not looking to change the way that the SSL session is handled, but the OCSP authentication needs to be conditional depending on whether client certificates are present or not.

     

     

    I was hoping for a system-provided variable, similar to how you can write iRules based on the number of available nodes in a pool.