Forum Discussion

JoseCC_320098's avatar
JoseCC_320098
Icon for Nimbostratus rankNimbostratus
Jun 05, 2017

Uri-based client cert authentication question

Hi, I need to configure a virtual server with selective client cert authentication based on URI.

In case user select cert auth the uri changes to /myweb/secure/, F5 should request client cert, renegotiate SSL and insert client cert into HTTP header so the back-end server can read client cert. There is quite a lot of info and posts about this feature, which I've readed. I've config VS, SSL profile (client) and irule but I just can't make this work.

SSL profile client:

  • renegotiation enabled
  • client authentication
  • client certificate: ignore
  • frequency: once
  • trusted certificate authorities & advertised cert: bundle of client cert CA

irule:

when CLIENTSSL_CLIENTCERT {
    HTTP::release
    if { [SSL::cert count] < 1 } {
        reject
    }
}

when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/myweb/secure/" } {
        if { [SSL::cert count] == 0 } {
            HTTP::collect
            SSL::authenticate always
            SSL::authenticate depth 9
            SSL::cert mode require
            SSL::renegotiate
        }
    }
}

when HTTP_REQUEST_SEND {
    clientside {
        if { [SSL::cert count] > 0 } {
            HTTP::header insert "x-clientcert" [X509::whole [SSL::cert 0]]
        }
    }
}

I'm not sure whether /myweb/secure/ path is ever accesible, since there is no browser pop-up requesting the client certificate. I really can't figure this out, any hints would be most appreciated. Thanks a lot for your time and help.

  • iRule and clientssl profile settings looks fine. Check if clientssl profile has any parent SSL profile configured that might overwrite some of the settings from the parent profile and cause the issue. Try logging as much as possible in iRule to see what's happening.