Forum Discussion
arjen_kuindersm
Nimbostratus
NimbostratusPassing client SSL certificate to server / f5 LTM 11.5
Hi,
I'm trying to pass the SSL client certificate to the backend server:
Traffic should flow like: Client --> (SSL) --> f5 --> (SSL) --> windows 2012 server.
From the forums it should be very e...
nitass
Employee
Employeeit seems okay here.
by the way, since you want to pass client certificate to server, why don't you use proxy ssl instead?
sol13385: Overview of the Proxy SSL feature
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.htmle.g.
version
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version
Sys::Version
Main Package
Product BIG-IP
Version 11.5.1
Build 0.0.110
Edition Final
Date Wed Mar 12 15:44:53 PDT 2014
config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
http { }
myclientssl {
context clientside
}
tcp { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 32
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" [X509::whole [SSL::cert 0]]
}
}
}
test
[root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 200.200.200.14(36589) <-> 200.200.200.101(80)
1401091886.4554 (0.0216) C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
X-ENV-SSL_CLIENT_CERTIFICATE: -----BEGIN CERTIFICATE-----
MIIFrTCCA5WgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW
BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xMzA4MzAxNDAyMzlaFw0xNDA4MzAx
NDAyMzlaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2Vh
dHRsZTENMAsGA1UEChMEQWNtZTENMAsGA1UECxMEU2FsZTEWMBQGA1UEAxMNam9o
bi5hY21lLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALnrK4pG
ryK/klOnBiL6qy0/9nreOpjGKsd6hGOh0GKFUOqqSX0QTpZTX7fYMQldbvOwBYwU
iPfSi3V/XVX6zhTm407KgzyGq4iyI9FgZeDm8B6DWn7lTaAnqYvgy+LySc/Lq+jH
p5dfvcP1YG9Sj1mwFTDH/wNr8sLTx11ISFAvFTk7edqE8jBPDYXqXFUaJ+GzMTsd
pyR7r7iM3FwYDBA7fCSu8L7FB4bN1ZU0R/Tp4uN8vt2w3ubi1qbJ1gWlEbLBm9dg
cg+uvTsebPExHFokxqqdrsmQYrW4YPG1YaD2NaC46v23xHPNXqmR6OeTHkohO5Ve
wkSWQO6G2H04j3p6O1lezcq8IOxJVo7E8cK+UfwU3hepRiq/i88KsOPLk+mzXNjw
qU3gG2IX7DI9faVVuN1fe2Act0Ag3ao3FmDnDXyPQsqcgAD5fvy113KihtlcpH5M
mACXqcioxqVGwBFevKHxipPmjQB6C9XCGqDIF/f10ThXu5DtvIPvDGaKa0jqq9Ip
x7uDqNVknKUQuyUH7T85vrG05H9c6Qmaxiwq1M0L/YUKQt6MoU6S3BWM75Tbmi3w
z/n8kTTGozO35lPfoMPLoHaj4Z0a7/0bYA3DMS33zMtXBy3VF3TjcxMgnAKg4sDq
FmJd6M+gK7ghjt7FjzNixGSDC2P4b5x/BSTjAgMBAAGjezB5MAkGA1UdEwQCMAAw
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBTXvtvLZ4qH+c06S4fwluvs46sjVDAfBgNVHSMEGDAWgBSCOznFhO68
X2r1WREpmuBuEabGcTANBgkqhkiG9w0BAQUFAAOCAgEAGEp0eT3sYEL5xAPPRuwV
jPvPLKjssZxCDbubCM8lQSNiOw6bwEvvZ7NFGhO/lcrUU7+PxEKYs9g2KuwJBMsF
0dm5yF9lw+pvBKSGWwrFsQzGrWzZhICb5evYon1jxIVqbdHFI+eAo3S3XnEUS9gh
oJOz7+LvmzLtTdv7pR0pw7ne2m0zsYQGdBz0HCwEO1wVlNXsbCo/1Tpo0ANOXlfL
fQJGLfJQzXVyd2/CRCQ/opIBYeOBBfjcFJofe7AC2QunlERaZF+qz5yiRC2tzdTE
/P8nqdhT3a0bWfm59AmtWGfM2yZnQJJgY4SpaWfseSq8YQ56Dqq3ZQJxJQUzwh3b
ChfM1T4Ye4rqyIFalS/xDGbqGBm30LfGZQly7FqXM4B6hCO9fbMoe4lfWu8kVVkE
1R7yQwqVDOlCOHV4+GQCFKYV9QN//RW7IKTV1PjHKozW0P1VfSM+C5Utw+kxBCWI
cQIJLIjKBNCCZxwkzIgQ4727LZN3s0bM6GGWVaXTKqkwu6N6It32BmgvS+831dYE
Un/lnsfTnjalKaLGKnKiDCRF5SCfN2/K5MQrb9w7vWihBP5+6D8di9ovgqxQdshm
LXTL8GG1dL0Wb0rkCn4hfVVCK8yKqg//OZe1UV6jKEz3Mx+jOSC9dh6SJ+XhuM/2
pMa6PwcOHthiG9nRGqrFbYU=
-----END CERTIFICATE-----
---------------------------------------------------------------
