Forum Discussion
Marvin
Cirrocumulus
CirrocumulusRequest client cert auth based on URL
I am trying to request client cert authentication based on select URL and it works with a whitelist only but when i use the negate in the datagroup with a datagroup including URI string values it doe...
Try replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]
MarvinCirrocumulus
CirrocumulusSo I adjusted the Irule and is now correctly matching both authentication bypass and the other lower part needs to be authenticated. We receive the popup to select client cert and is provided to F5 (confirmed in wireshark), however there is no header value inserted and not logged as it is empty very strange. In wireshark i confirm that there is only one cert provided to F5.
Perhaps the [SSL::cert 0} command only work when using a clientssl profile with client cert authentication enabled?Is there any way to use the SSL::renegotiate option and retrieve and store the client cert properly?
when HTTP_REQUEST {
if {[class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH] && [HTTP::method] == "POST" && [HTTP::path] == "/nidp/idff/sso"}{
#HTTP::header insert SSL_CLIENT_CERT [b64encode [SSL::cert 0]]
log local0. "certificate not inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr] "
return
}
elseif { [class match [string tolower [HTTP::uri]] contains DG_ACC_CERT_AUTH] && [HTTP::method] == "POST" && [HTTP::path] == "/nidp/idff/sso"}{
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate enable
SSL::renegotiate
HTTP::header insert SSL_CLIENT_CERT [b64encode [SSL::cert 0]]
log local0. "certificate inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr]"
}
}
