Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Doing mTLS Authentication per URL

joko_yuliantoro
F5 Employee
F5 Employee

on ‎18-Dec-2022 18:00

A customer asked if F5 supports mTLS Authentication per URL because some firewall vendors do not support this use case. At first, I thought it seems not possible because mTLS works at the lower OSI level before the URL is seen at OSI L7. A college suggested that it should be possible to decrypt the TLS, check the URL and then do the mTLS authentication when needed. Apparently, there are couple of simple iRules we can use to fulfill the requirement which is to do mTLS authentication based on certain URL.

Here is a simple iRules in need based on https://clouddocs.f5.com/api/irules/SSL__cert.html :

 

 

when HTTP_REQUEST {
  if { [HTTP::path] eq "/sensitive_url" } {
    if { [SSL::cert count] > 0 } {
      if { [SSL::verify_result ] == 0 } {
        # Good mTLS result, exit from this check
        return
      } else {
        set error_string [X509::verify_cert_error_string [SSL::verify_result]]
      }
    } else {
      set error_string "No client certificate provided"
    }
    # If we are still executing this iRule, the client did not present a cert or did not present a valid cert
    HTTP::respond 403 content "<html>Invalid client certificate: $error_string</html>"
  }
}

 

 

We have to expect that the client might come without the TLS certificate when accessing non-sensitive URL. To accomodate this condition, we have to adjust the Client-SSL profile attached to the VS to allow clients without client SSL certificate. We can select the "request" option on Client Certificate of the Client Authentication section inside the Client SSL profile.

client-ssl-request.png

That is all needed to fulfill the requirement of mTLS Authentication per URL. You can adjust the iRules to check the URL against a datagroup if there are multiple URLs to be authenticated. You also might want to reduce the error message to minimum in order to avoid attackers interpreting their mistake by not giving the right client SSL certificate.

Let me know your thoughts by leaving your comments below.

Comments
DavisLi
F5 Employee
F5 Employee
‎18-Dec-2022 19:28

Wow, that's it? That simple? 

joko_yuliantoro
F5 Employee
F5 Employee
‎18-Dec-2022 20:19

Yes, @DavisLi. It is that simple 😉

ITNC
Nimbostratus
Nimbostratus
‎28-Mar-2023 03:55

Great Article ! Kudos ! Saved our life

jhosseini
Nimbostratus
Nimbostratus
‎06-Apr-2023 05:47

Is it possible to remove client certificate request for non-sensitive URL?

0 Kudos
joko_yuliantoro
F5 Employee
F5 Employee
‎07-Apr-2023 11:24

Hi @jhosseini ,

The non-sensitive URL is identified after the mTLS handshake is completed. As mentioned in the article, mTLS is processed before the HTTP layer. It is not possible to remove the client certificate request during mTLS handshake when the client even has not sent the HTTP request containing the URI.

The above solution still allows clients who establish mTLS connections without client certificate and request for non-sensitive URL. This is because the VS' ClientSSL profile is configured with "request" flag and the client is free to ignore the request. The VS will still allow clients coming in without client certificate.

Version history
Last update:
‎04-Dec-2022 18:46
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC