Forum Discussion
NimbostratusPassing client SSL certificate to server / f5 LTM 11.5
Hi,
I'm trying to pass the SSL client certificate to the backend server:
Traffic should flow like: Client --> (SSL) --> f5 --> (SSL) --> windows 2012 server.
From the forums it should be very easy, since the 11.x stores the client certificates in the session:
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]]
}
}
The BIG-IP inserts the client certificate in the headers, however, when I read back the header only a part of the certificate is present in the header. I can only see "-----BEGIN CERTIFICATE-----" with 21 correct lines of the Original pem certificate. The last 4 lines including "-----END CERTIFICATE-----" are missing.
Im using the following lines to get the header values:
foreach aHeader [HTTP::header names]
{
log local0. "$aHeader: [HTTP::header value $aHeader]"
}
Please help! Could this be a bug, who has client cerficate passthrough working on 11.5+?
3 Replies
- nitass
Employee
it seems okay here.
by the way, since you want to pass client certificate to server, why don't you use proxy ssl instead?
sol13385: Overview of the Proxy SSL feature
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.htmle.g.
version root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.5.1 Build 0.0.110 Edition Final Date Wed Mar 12 15:44:53 PDT 2014 config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 32 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]] } } } test [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 200.200.200.14(36589) <-> 200.200.200.101(80) 1401091886.4554 (0.0216) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* X-ENV-SSL_CLIENT_CERTIFICATE: -----BEGIN CERTIFICATE----- MIIFrTCCA5WgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xMzA4MzAxNDAyMzlaFw0xNDA4MzAx NDAyMzlaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2Vh dHRsZTENMAsGA1UEChMEQWNtZTENMAsGA1UECxMEU2FsZTEWMBQGA1UEAxMNam9o bi5hY21lLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnrK4pG ryK/klOnBiL6qy0/9nreOpjGKsd6hGOh0GKFUOqqSX0QTpZTX7fYMQldbvOwBYwU iPfSi3V/XVX6zhTm407KgzyGq4iyI9FgZeDm8B6DWn7lTaAnqYvgy+LySc/Lq+jH p5dfvcP1YG9Sj1mwFTDH/wNr8sLTx11ISFAvFTk7edqE8jBPDYXqXFUaJ+GzMTsd pyR7r7iM3FwYDBA7fCSu8L7FB4bN1ZU0R/Tp4uN8vt2w3ubi1qbJ1gWlEbLBm9dg cg+uvTsebPExHFokxqqdrsmQYrW4YPG1YaD2NaC46v23xHPNXqmR6OeTHkohO5Ve wkSWQO6G2H04j3p6O1lezcq8IOxJVo7E8cK+UfwU3hepRiq/i88KsOPLk+mzXNjw qU3gG2IX7DI9faVVuN1fe2Act0Ag3ao3FmDnDXyPQsqcgAD5fvy113KihtlcpH5M mACXqcioxqVGwBFevKHxipPmjQB6C9XCGqDIF/f10ThXu5DtvIPvDGaKa0jqq9Ip x7uDqNVknKUQuyUH7T85vrG05H9c6Qmaxiwq1M0L/YUKQt6MoU6S3BWM75Tbmi3w z/n8kTTGozO35lPfoMPLoHaj4Z0a7/0bYA3DMS33zMtXBy3VF3TjcxMgnAKg4sDq FmJd6M+gK7ghjt7FjzNixGSDC2P4b5x/BSTjAgMBAAGjezB5MAkGA1UdEwQCMAAw LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G A1UdDgQWBBTXvtvLZ4qH+c06S4fwluvs46sjVDAfBgNVHSMEGDAWgBSCOznFhO68 X2r1WREpmuBuEabGcTANBgkqhkiG9w0BAQUFAAOCAgEAGEp0eT3sYEL5xAPPRuwV jPvPLKjssZxCDbubCM8lQSNiOw6bwEvvZ7NFGhO/lcrUU7+PxEKYs9g2KuwJBMsF 0dm5yF9lw+pvBKSGWwrFsQzGrWzZhICb5evYon1jxIVqbdHFI+eAo3S3XnEUS9gh oJOz7+LvmzLtTdv7pR0pw7ne2m0zsYQGdBz0HCwEO1wVlNXsbCo/1Tpo0ANOXlfL fQJGLfJQzXVyd2/CRCQ/opIBYeOBBfjcFJofe7AC2QunlERaZF+qz5yiRC2tzdTE /P8nqdhT3a0bWfm59AmtWGfM2yZnQJJgY4SpaWfseSq8YQ56Dqq3ZQJxJQUzwh3b ChfM1T4Ye4rqyIFalS/xDGbqGBm30LfGZQly7FqXM4B6hCO9fbMoe4lfWu8kVVkE 1R7yQwqVDOlCOHV4+GQCFKYV9QN//RW7IKTV1PjHKozW0P1VfSM+C5Utw+kxBCWI cQIJLIjKBNCCZxwkzIgQ4727LZN3s0bM6GGWVaXTKqkwu6N6It32BmgvS+831dYE Un/lnsfTnjalKaLGKnKiDCRF5SCfN2/K5MQrb9w7vWihBP5+6D8di9ovgqxQdshm LXTL8GG1dL0Wb0rkCn4hfVVCK8yKqg//OZe1UV6jKEz3Mx+jOSC9dh6SJ+XhuM/2 pMa6PwcOHthiG9nRGqrFbYU= -----END CERTIFICATE----- --------------------------------------------------------------- 
arjen_kuindersmWhen I use the ssldump command I also see the full certificate. So that probably means the part that prints the header doesn't work properly and set me on the wrong track. However, the server doesn't accept the client certificate. Is there a way to compare the exact headers between client<>f5 and f5<>webserver? I would like to compare them, I see a lot of examples with alternatives to 'X-ENV-SSL_CLIENT_CERTIFICATE'...
I will have a look at the proxy-ssl. Didn't investigate this feature yet.
- nitass
Is there a way to compare the exact headers between client-f5 and f5-webserver
can you compare it in tcpdump? you have private keys to decrypt both sides of traffic, haven't you?
if you want to log, is HTTP_REQUEST_SEND or HTTP_REQUEST_RELEASE event useful?
HTTP
https://devcentral.f5.com/wiki/irules.HTTP.ashx
