Forum Discussion
SSL Authentication issues
Our method is to have them purchase a cert from an authority
(although we’re trying to get self-signed certs to work for initial testing),
give us the serial of that cert and we’ll put it in a Data Group List that
our iRule checks. So we’ll check for a valid cert and that it matches our
list of serial s. Below is the iRule as it is now and a screen capture
of the section of the SSL Client profile I was talking about.
Some scratch notes from last night’s testing:
In Stage Environment:
if we request client cert, clients with no cert come through
if we require client cert, passes to iRule and valid clients are
rejected
IE8 get through
Firefox does not get through
iRule - ncf-tls-poc.443
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Client Certificate
Provided - IP:[IP::client_addr]"
drop
}
else {
log local0. "Client Certificate Recieved
- IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match [X509::serial_number
[SSL::cert 0]] equals ncf-tls-poc.443-ValidCertificateSNs] } {
log local0. "Client Accepted -
IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
}
else {
log local0. "Client Rejected -
IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}
- nitassEmployeeit seems to be okay on my firefox.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:443 ip protocol 6 rules myrule profiles { http {} myclientssl { clientside } tcp {} } vlans external enable } [root@ve1023:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve1023:Active] config b profile myclientssl list profile clientssl myclientssl { defaults from clientssl ca file "ca.crt" peer cert mode require } [root@ve1023:Active] config b class ncf-tls-poc.443-ValidCertificateSNs list class ncf-tls-poc.443-ValidCertificateSNs { "01" } [root@ve1023:Active] config b rule myrule list rule myrule { when CLIENTSSL_CLIENTCERT { if { [SSL::cert count] == 0 } { log local0. "No Client Certificate Provided - IP:[IP::client_addr]" drop } else { log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" if { [class match -- [X509::serial_number [SSL::cert 0]] equals ncf-tls-poc.443-ValidCertificateSNs] } { log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" } else { log local0. "Client Rejected - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" reject } } } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::header User-Agent]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]|[IP::remote_addr]:[TCP::remote_port]|[HTTP::status]" } } [root@ve1023:Active] config cat /var/log/ltm Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Certificate Recieved - IP:192.168.204.7 Serial:01 Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Accepted - IP:192.168.204.7 Serial:01 Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24 Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|200.200.200.101:80|200
- Jim_Sellers_473NimbostratusFor some reasons clients arent getting dropped when they dont match the datagroup ....
- Jim_Sellers_473NimbostratusFor some reasons clients arent getting dropped when they dont match the datagroup .... Thanks for the response :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com