For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CWaldon_204196's avatar
CWaldon_204196
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

Options for Mutually Authenticated Connections using Certificates

Hello,   I'm attempting to change an existing VS configuration to accommodate some updated security requirements that have been passed down to our team.   The existing configuration is as follo...
application delivery
BIG-IP
certificates
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 07, 2016

There's no clean non-iRule way to do this quite yet, but as Shaun stated you can use a data group to minimize customization of that iRule. If you take a look at this page you can see a lot of options for extracting information from the certification: https://devcentral.f5.com/wiki/iRules.X509.ashx

 

So you could take a variation of one of the code examples and add the data group.

 

when CLIENTSSL_HANDSHAKE {
     Check if the client supplied one or more client certs
    if { [SSL::cert count] > 0 }{
        if { not ( [class match [X509::subject [SSL::cert 0]] equals my-cert-subject-dg] ) } {
             incoming cert subject didn't match a data group entry
            reject
        }
    } else {
         No certificate presented
        reject
    }
}