SSL client authentication?

Nimbostratus

Jul 05, 2011

If you are trying to utilize the default configuration options of Client Authentication within the SSL Profile, it will limit you to a list of approved Certificate Authorities (Specifies that the CAs that the system advertises to clients is being trusted by the profile.)

If you are looking to do something more advanced you can use an iRule in conjunction with the Client Authentication.

For example: I configured a Virtual Server to Require Client Authentication in the SSL Profile and that works in conjunction with this iRule that checks the Hex value of the SSL Certificate serial number in a list of "Valid / Authorized" Certificates. If the SSL Certificate is in the list then you are passed through, if not....you are rejected.


when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Certificate Provided"
drop
}
else {
log local0. "Certificate 1:  [X509::serial_number [SSL::cert 0]]"
log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
}
else {
log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}

I am sure that there are other examples in the iRules forum. I would suggest searching on the "CLIENTSSL_CLIENTCERT" Event.

Forum Discussion

SSL client authentication?

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

SSL client certificate LDAP authenticate before authorizing

TLS Fingerprinting to profile SSL/TLS clients without decryption

SSL for Authenticated Sessions

Simple HTTP Authentication server

Two-Factor Authentication – Captive Portal

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS