Forum Discussion
LyonsG_85618
Cirrostratus
CirrostratusPassing decoded certficates in HTTP header
Hi folks.
I have been requested to setup BIG-IP to request certificate authentication and then insert the WHOLE UNENCODED certificate into the HTTP header and pass it to a differnt virtual server.
I have trawled the forum already but can't find the resolution anywhere.
The IRULE I have set-up at present is:
First check to see whether cert is present then validate it
when CLIENTSSL_CLIENTCERT {
set debug 0
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection if no cert present
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set ssl_cert [SSL::cert 0]
set subject_dn [X509::subject [SSL::cert 0]] }
Check if the certificate contains valid CN
if { ($subject_dn contains "CN=Company A") or ($subject_dn contains "CN=Company B")} {
Accept the client cert
log "Client Certificate Accepted:$subject_dn [X509::whole $ssl_cert]"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
Then re-write and pass to a different VIP
when HTTP_REQUEST {
set requestedhost [string tolower [HTTP::host]]
set requestedURI [HTTP::uri]
if { $requestedhost equals "string1.domainA.com"} {
HTTP::header replace Host "string2.domainA.com"
HTTP::header insert "X509Certificate" [X509::whole [b64decode [SSL::cert 0]]]
virtual VS_SYST_SOA_EXTERNAL_LIVE_HTTPS
}
}
Any help or suggestions would be gratefully received.
Thanks
Graham
15 Replies
LyonsG_85618Sorry - also should say that I have tried this without the b64decode and the certificate is sent in PEM format.
When trying the above i get an error in log - while executing "X509::whole [b64decode [SSL::cert 0]]"- Kevin_Stewart
Employee
The syntax of the command should be:[X509::whole [SSL::cert 0]]
Without the X509 command, [SSL::cert 0] produces the binary representation of the certificate (in DER encoding). You don't want to send binary data in an HTTP header. The X509::whole command produces a PEM encoding of that certificate, which is base64 with additional header/footer data. It also has line breaks in it, so your best bet for getting it sent in a header is to either base64 encode it again, or simply base64 encode the [SSL::cert 0]:
[b64encode [SSL::cert 0]]
Then at the over VIP just decode to get to the binary certificate:
[b64decode [HTTP::header "X509Certificate"]]
** with appropriate error checking - invalid data will bomb the b64decde command. 
What_Lies_Bene1Can you try setting a variable containing the cert data and then using that for the decode operation?
What's the actual error message?Too late! Thanks Kevin.
- LyonsG_85618
Thanks Kevin
I have tried [X509::whole [SSL::cert 0]] but that (as you say) produces the PEM encoded version.
I want to send it as Base64 DECODED though.
I would like to avoid creating another IRULE for the other VIP as this is used for LOTS of othr applications and I am not sure the impact that doing this would have on the other applications.
- Kevin_StewartWell, if I'm understanding you, you want to send the binary certificate between VIPs? A certificate can be either DER or PEM encoded. [SSL::cert 0] produces the DER, and [X509::whole [SSL::cert 0]] produces the PEM. I would not recommend sending the DER version in an HTTP header, and the PEM version is laced with line breaks.
In any case, you'd need something on the other VIP to receive the HTTP header and do something with it. How are you using the value in the application behind the second VIP? - LyonsG_85618
I believe certificate needs to look like this:
Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9fWe do not need to do anything on other VIP - there is an pplication that modifies cert.
We do not need to do anything else with it.
- Kevin_StewartThat's an OpenSSL representation of a certificate and NOT what it really looks like. A certificate is either binary (DER ASN.1 encoded) or PEM (a base64 encoding of the DER). So you have a few options:
1. Recreate this structure (or some portions of it) using the various X509 commands.You probably still want to encode it somehow to pass into the HTTP header.
2. Pull out just the pieces you need and pass as HTTP headers 
hoolioCouldn't you just base64 encode the cert on the first VS and decode it on the second? I think it would corrupt the HTTP headers if you tried to insert the cert unencoded.
Aaron- hoolioI would like to avoid creating another IRULE for the other VIP as this is used for LOTS of othr applications and I am not sure the impact that doing this would have on the other applications.
If you remove any pre-existing instances of a custom header name and then insert the base64 encoded copy of the cert in that header name, it would be fairly cheap resource-wise to look for that header on a second VS. You could then only base64 decode the header value if it's present.
Aaron - LyonsG_85618
Guys thanks.
I am making progress....they are trying to replicate a WebSphere plugin. Here is a trace of what it does:
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestCreate: Creating the request object
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseCreate: Creating the response object
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseInit: initializing the response object
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseInit: done initializing the response object
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetMethod: Setting the method |GET|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetURL: Setting the url |/intermediaryaccess/servlet/IntermediaryAuthenticationServlet|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetURL: Setting the query string |RequestID=AUTHENTICATION_CERTIFICATE_LOGON&action=init
ial&branding=&source=SLAC&urlParamTargetPage=https%3A%2F%2Fwpssyst1.advisertest.com%2Fadviser%2Fsecure%2Fadviserzone%2FServices%2FgotoSecureService%3Fid%3DdoLogin|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: mod_was_ap20_http: cb_get_headers: In the get headers callback
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept| to value |image/gif, image/x-xbitmap, image/
jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/xaml+xml, application/x-ms-
xbap, application/x-ms-application, */*|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Referer| to value |https://syst.advisertest.com/inte
rmediaryaccess/servlet/IntermediaryAuthenticationServlet|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept-Language| to value |en-gb|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |UA-CPU| to value |x86|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept-Encoding| to value |gzip, deflate|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |User-Agent| to value |Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Host| to value |syst-cert.advisertest.com|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Cookie| to value |SBANavCookie=114_8_-38_-61_24_-108
_104_-57_27_89_103_-67_51_-18_52_-4_79_9_29_-61_102_-73_-88_-105_-47_-81_65_6_73_-30_47_83_-19_18_-52_76_-26_-23_54_-57_-10_-15_5_22_-125_50_126_74_0_-58_-56_98_-23_-
1_-97_104_-95_13_101_-48_-38_72_-87_17_-109_-39_-96_-62_-58_44_59_; SBAAuthCookie=-11
9_75_126_-110_-125_50_-75_95_-112_-102_-5_-64_-40_121_27_28_; autheticationMethodCookie=Y|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Connection| to value |Keep-Alive|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Cache-Control| to value |no-cache|
This next header WSCC is the certificate:
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSCC| to value |MIIG7zCCBNegAwIBAgIQEZV1hgfaH00918h
mISp9hzANBgkqhkiG9w0BAQ0FADBYMQswCQYDVQQGEwJHQjErMCkGA1UEChMiT3JpZ28gU2VjdXJlIEludGVybmV0IFNlcnZpY2VzIEx0ZDEcMBoGA1UEAxMTT3JpZ28gUm9vdCBDQSAtIEcyTTAeFw0xMjA4MzAwMDAwM
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSCS| to value |RC4-MD5|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSIS| to value |true|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSC| to value |https|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSPR| to value |HTTP/1.1|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSRA| to value |172.31.104.161|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSRH| to value |172.31.104.161|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSN| to value |syst-cert.advisertest.com|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSP| to value |443|
[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSI| to value |AA2gKnwJoT4xajzq6d7FmSizqiRYWFhYUKZ
So now I need to check with application guys to see eactly which of the header fields are required....
You can see that certificate is encoded and I have tried setting the variable as $WSCC rather than X509Certificate:
e.g. HTTP::header insert \$WSCC [X509::whole [SSL::cert 0]]
