on 10-Jul-2019 11:13
Problem this snippet solves:
The following is based on the documentation from Slack of how to authenticate requests from Slack via mutual TLS and pass along the information to a service that is not capable of mutual TLS via a X-Client-Certificate-SAN header.
Adapted from: https://api.slack.com/docs/verifying-requests-from-slack#mutual_tls
Based on question from: https://devcentral.f5.com/s/question/0D51T00006n6YltSAE/extract-san-from-client-ssl-certificate-inse...
How to use this snippet:
Attach to Virtual Server that has both a HTTP and clientssl profile.
The clientssl profile must be configured for "require" or "request" to process the client certificate and use a CA certificate that verifies that it is a trusted certificate. The iRule will replace any headers that are sent by the client.
Code :
when HTTP_REQUEST { if {[SSL::cert 0] ne ""}{ # extract SAN set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","] # remove DNS: prefix set san [findstr $santemp "DNS" 4] # insert X-Client-Certificate-SAN header HTTP::header replace X-Client-Certificate-SAN $san } else { HTTP::header remove X-Client-Certificate-SAN } }
Tested this on version:
11.5For the CN it would be the following.
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
set tmpcn [X509::subject [SSL::cert 0]]
set cn [findstr $tmpcn "CN=" 3]
HTTP::header replace X-Client-Certificate-SAN $cn
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}
Hi @Eric_Chen
Hope all is well.
I'm trying to create an rule whereby it extract the TLS cert DNS name and populate value into a new header field:
in x-forwarded-host-chkd.
Is this easily done? Thanks