Forum Discussion
JessB_42846
Nimbostratus
NimbostratusRequest client cert based on URI access
Hi!
I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1.
I am attempting to develop an iRule that will limit access to certain URIs based upon the client providing a certificate. The trick is users can only be prompted to provide a certificate when they access the specific URI. I've started fresh using the example provided here;
http://devcentral.f5.com/wiki/iRule...ation.ashx
I've obfuscated some data but nothing critical to the running of the iRule. I've also changed the outcome - I just want the PEM encoded cert inserted in the header (processing occurs on the application server).
In its current form - the connection seems to 'hang' which makes me think the HTTP::release isn't happening.
Here is where I am now;
Initialize the variables on new client tcp session.
when CLIENT_ACCEPTED {
set collecting 0
set renegtried 0
}
Runs for each new http request
when HTTP_REQUEST {
if { $renegtried == 0 and [SSL::cert count] == 0 and ( [HTTP::uri] equals "/URI/ClientCert" ) } {
HTTP::collect
set collecting 1
SSL::cert mode request
SSL::renegotiate
}
}
when CLIENTSSL_HANDSHAKE {
if { $collecting == 1 } {
set renegtried 1
HTTP::release
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } then {
set a variable for the whole cert - cut out the BEGIN and END crap though
set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]]
log to show we are receiving the cert
log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"
insert the whole cert as a header
HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole
} else {
log local0. "Restricted zone. No client cert detected - redirecting."
HTTP::redirect "https://error.com";
}
}
}
Any help would be awesome.
nitassEmployee
i did simple test. hope it is helpful.[root@Edelweiss:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.17.17:https ip protocol tcp rules myrule profiles { http {} myclientssl { clientside } tcp {} } } [root@Edelweiss:Active] config b profile myclientssl list profile clientssl myclientssl { defaults from clientssl ca file "ca-bundle.crt" renegotiate enable } [root@Edelweiss:Active] config b rule myrule list rule myrule { when CLIENTSSL_HANDSHAKE { if { [SSL::cert count] > 0 } { HTTP::release } } when HTTP_REQUEST { if {[string tolower [HTTP::uri]] starts_with "/uri/clientcert/" } { if {[SSL::cert count] == 0} { HTTP::collect SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } }
when accessing https://172.28.17.17/4 10 1315633001.1229 (0.0159) C>SV3.1(410) application_data --------------------------------------------------------------- GET / HTTP/1.1 Host: 172.28.17.17 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive --------------------------------------------------------------- 4 11 1315633001.1266 (0.0036) S>CV3.1(500) application_data ---------------------------------------------------------------
when accessing https://172.28.17.17/uri/clientcert/4 10 1315632762.4093 (0.0099) C>SV3.1(425) application_data --------------------------------------------------------------- GET /uri/clientcert/ HTTP/1.1 Host: 172.28.17.17 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive --------------------------------------------------------------- 4 11 1315632762.4096 (0.0003) S>CV3.1(24) Handshake HelloRequest 4 12 1315632762.4102 (0.0005) C>SV3.1(174) Handshake ClientHello 4 13 1315632762.4109 (0.0007) S>CV3.1(94) Handshake ServerHello 4 14 1315632762.4109 (0.0000) S>CV3.1(712) Handshake Certificate 4 15 1315632762.4109 (0.0000) S>CV3.1(28) Handshake CertificateRequest 4 16 1315632762.4109 (0.0000) S>CV3.1(24) Handshake ServerHelloDone
JessB_42846I'm also receiving a warning in my LTM logs;Aug 12 03:00:06 local/tmm2 warning tmm2[13007]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: pr_c_ssl_name-removed
which as a warning doesn't concern me much.- JessB_42846Here is the Apache code to achieve what I want to do - request a client certificate on specific directory basis;
SSLVerifyClient require SSLVerifyDepth 1
Is it possible to replicate this behaviour to the F5? 
hooleylistCirrostratus
Do you have renegotiation enabled on your client SSL profile? What debug logging do you see in /var/log/ltm?
Aaron- JessB_42846I've enabled 'renegotiation' on the SSL profile - thanks for that Aaron.
Same problem though. The connection doesn't appear to be complete.The first example noted here 'http://devcentral.f5.com/wiki/iRule...tiate.ashx' seems to have the same problem. I'm not prompted for a client certificate and the connection never completes.
Obviously, I've got something wrong somewhere.
No debug logging in LTM logs - do I need to increase the verbosity or something?