iRule: passing client cert to node

In this case, the BIG-IP is terminating SSL connections but the backend web server needs the information from the certificate but doesn't want the BIG-IP to re-encrypt the traffic to the node.

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert at the backend IIS web server via ASP/ASP.NET code.

No problem. With iRules you have full access to the client certificate and it's fairly simple to base64 encode the entire client certificate in a HTTP header and pass it to the backend webserver. Here's what wthem finally came up with with some guidance from the DevCentral team.

when CLIENTSSL_HANDSHAKE
{
  set cur [SSL::sessionid]
  set ask [session lookup ssl $cur] 
  if { $ask eq "" } { 
    session add ssl [SSL::sessionid] [SSL::cert 0]
  }
}

when HTTP_REQUEST
{
  set id [SSL::sessionid]
  set the_cert [session lookup ssl $id]
  if { $the_cert != ""}
  {
    HTTP::header replace SSLClientCert [b64encode $the_cert]
  }
}

Search Google for Base64 and VB and you should find a implementation of the decoding method (or check the forum thread below...

Click here for the original thread.

-Joe

 

[Listening to: Ants Marching - Dave Matthews Band - Central Park Concert (2 of 3) (05:51)]
Published Jul 27, 2005
Version 1.0
application delivery
devops
iRules

Was this article helpful?

2 Comments

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Mar 19, 2008
    There are some things you can do with the client side request on 4.x but I don't believe that you have access to the actual certificate to add as a new http header. You might check in the 4.x admin guide to find which iRule commands are available but I'm thinking there isn't a one to one mapping.

     

     

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Mar 20, 2008
    Sure thing, Head over to Ask.f5.com, login, click on Supported Products, select "BIG-IP 4.x" and select the "BIG-IP Reference Guide" and search for the iRules section.

     

     

    Here's the direct link to the iRules syntax section:

     

     

    [quote]https://support.f5.com/kb/en-us/products/big-ip_4_x/manuals/product/bigip4_6_2ref/BIGip_rules.html1204781

     

    [url]https://support.f5.com/kb/en-us/products/big-ip_4_x/manuals/product/bigip4_6_2ref/BIGip_rules.html1204781[/url][/quote]

     

     

    -Joe