For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Goran_Blomquis1's avatar
Goran_Blomquis1
Icon for Nimbostratus rankNimbostratus
Mar 26, 2009

Set ssl to require and pass cert when uri /manual

Hi devcentral

 

 

I try to write a I-rule that change ignore to require in SSLclient profile. I think Iḿ on the right track, but backend seems to be very slow and ask for cert all the time. I see in log that cert info are passed to backend when /manual is in URI.

 

 

when CLIENTSSL_HANDSHAKE {

 

if { [SSL::cert count] > 0 }{

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

if { $ask eq "" } {

 

session add ssl [SSL::sessionid] [SSL::cert 0]

 

HTTP::release

 

}

 

}

 

}

 

when HTTP_REQUEST {

 

set requestcertificatepage_uri [string tolower [HTTP::uri]]

 

log local5. "vilken uri [HTTP::uri]"

 

if {$requestcertificatepage_uri contains "/manual"} {

 

if {[SSL::cert count] == 0} {

 

HTTP::collect

 

SSL::authenticate always

 

SSL::authenticate depth 9

 

SSL::cert mode require

 

SSL::renegotiate

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

if { $the_cert != ""} {

 

HTTP::header replace X-Client-Cert [b64encode $the_cert]

 

log local5. "putt clientcert in header [b64encode $the_cert]"

 

}

 

}

 

}

 

}

 

 

 

Have a greate day

 

application delivery
dev
devops
iRules

6 Replies

  • Goran_Blomquis1's avatar
    Goran_Blomquis1
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2009
    Hi,

     

     

    The result was that certificate info never reached the backend server (if I rember it right). Problem are solved and I use an I-rule looking something like this.

     

     

    when CLIENTSSL_CLIENTCERT {

     

    HTTP::release

     

    if { [SSL::cert count] < 1 } {

     

    reject

     

    }

     

    }

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] starts_with "/manual" } {

     

    if { [SSL::cert count] <= 0 } {

     

    HTTP::collect

     

    SSL::authenticate always

     

    SSL::authenticate depth 9

     

    SSL::cert mode require

     

    SSL::renegotiate

     

    }

     

    }

     

    }

     

    when HTTP_REQUEST_SEND {

     

    clientside {

     

    if { [HTTP::uri] starts_with "/manual" } {

     

    if { [SSL::cert count] > 0 } {

     

    HTTP::header replace X-Client-Cert [b64encode [SSL::cert 0]]

     

    }

     

    }

     

    }

     

    }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2009
    That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.

    This codeshare example shows how to validate the client cert and store valid cert details in the session table:

    http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

    Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate: 

     
           Force renegotiation of the SSL connection with a cert requested 
          SSL::session invalidate 
          SSL::authenticate always 
          SSL::authenticate depth 9 
          SSL::cert mode require 
          SSL::renegotiate

    And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.

    Aaron
  • Goran_Blomquis1's avatar
    Goran_Blomquis1
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2009
    Thank you Aaron, I appreciate your input. I need to check how the final I-rule look. I get back! :-)
  • linjing's avatar
    linjing
    Icon for Employee rankEmployee
    Oct 15, 2009

    Posted By hoolio on 10/15/2009 4:33 AM

    That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.

    This codeshare example shows how to validate the client cert and store valid cert details in the session table:

    http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html

    Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate: 

      
  Force renegotiation of the SSL connection with a cert requested  
 SSL::session invalidate  
 SSL::authenticate always  
 SSL::authenticate depth 9  
 SSL::cert mode require  
 SSL::renegotiate

    And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.

    Aaron

    "And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present. "

    but in http_rquest_send event,we unable to set such as HTTP::redirect command.

    It seem that there is no good way to show friend info to client.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2009
    That's a good point. F5's answer was to create a hotfix (CR125264) which allows use of HTTP::respond in the CLIENTSSL_HANDSHAKE event. The hotfix is built for 9.4.8 and might be available for 10.x as well. You can contact F5 Support to request this fix.

     

     

    Aaron