Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Eric_Chen
F5 Employee
F5 Employee

on ‎10-Jul-2019 11:13

Problem this snippet solves:

The following is based on the documentation from Slack of how to authenticate requests from Slack via mutual TLS and pass along the information to a service that is not capable of mutual TLS via a X-Client-Certificate-SAN header.

Adapted from: https://api.slack.com/docs/verifying-requests-from-slack#mutual_tls

Based on question from: https://devcentral.f5.com/s/question/0D51T00006n6YltSAE/extract-san-from-client-ssl-certificate-inse...


How to use this snippet:

Attach to Virtual Server that has both a HTTP and clientssl profile.

The clientssl profile must be configured for "require" or "request" to process the client certificate and use a CA certificate that verifies that it is a trusted certificate. The iRule will replace any headers that are sent by the client.

Code :

when HTTP_REQUEST {

  if {[SSL::cert 0] ne ""}{
    # extract SAN
    set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","] 
    # remove DNS: prefix
    set san [findstr $santemp "DNS" 4]
    # insert X-Client-Certificate-SAN header
    HTTP::header replace X-Client-Certificate-SAN $san
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}

Tested this on version:

11.5
Labels:
Comments
MoQasem
Nimbostratus
Nimbostratus
‎30-Jul-2019 12:02

I have similar setup but the requirement from app team is to extract cn from client certificate and insert it in http header what changes needed for this code?

0 Kudos
Eric_Chen
F5 Employee
F5 Employee
‎28-Aug-2019 06:22

For the CN it would be the following.

when HTTP_REQUEST {
  if {[SSL::cert 0] ne ""}{
    set tmpcn [X509::subject [SSL::cert 0]]
    set cn [findstr $tmpcn "CN=" 3]
    HTTP::header replace X-Client-Certificate-SAN $cn
    
  } else {
    HTTP::header remove X-Client-Certificate-SAN
  }
}
0 Kudos
adidasn2022
Nimbostratus
Nimbostratus
‎26-Jan-2022 12:30

Hi @Eric_Chen 

Hope all is well.

I'm trying to create an rule whereby it extract the TLS cert DNS name and populate value into a new header field:
in x-forwarded-host-chkd.

Is this easily done? Thanks 

0 Kudos
Version history
Last update:
‎10-Jul-2019 11:13
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC