Forum Discussion
Jim_Sellers_473
Nimbostratus
Nov 18, 2011SSL Authentication issues
Our method is to have them purchase a cert from an authority
(although we’re trying to get self-signed certs to work for initial testing),
give us the serial of that cert and we’ll put it in a...
nitass
Employee
Nov 18, 2011it seems to be okay on my firefox.
[root@ve1023:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.79:443
ip protocol 6
rules myrule
profiles {
http {}
myclientssl {
clientside
}
tcp {}
}
vlans external enable
}
[root@ve1023:Active] config b pool foo list
pool foo {
members 200.200.200.101:80 {}
}
[root@ve1023:Active] config b profile myclientssl list
profile clientssl myclientssl {
defaults from clientssl
ca file "ca.crt"
peer cert mode require
}
[root@ve1023:Active] config b class ncf-tls-poc.443-ValidCertificateSNs list
class ncf-tls-poc.443-ValidCertificateSNs {
"01"
}
[root@ve1023:Active] config b rule myrule list
rule myrule {
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Client Certificate Provided - IP:[IP::client_addr]"
drop
} else {
log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match -- [X509::serial_number [SSL::cert 0]] equals ncf-tls-poc.443-ValidCertificateSNs] } {
log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
} else {
log local0. "Client Rejected - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::header User-Agent]"
}
when HTTP_RESPONSE {
log local0. "[IP::client_addr]:[TCP::client_port]|[IP::remote_addr]:[TCP::remote_port]|[HTTP::status]"
}
}
[root@ve1023:Active] config cat /var/log/ltm
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Certificate Recieved - IP:192.168.204.7 Serial:01
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : Client Accepted - IP:192.168.204.7 Serial:01
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24
Nov 18 09:08:46 local/tmm info tmm[24220]: Rule myrule : 192.168.204.7:53485|200.200.200.101:80|200
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects