Client Authentication Based On URI

Question

Hello,
Currently, to configure client authentication on a URI, we create 2 client SSL profiles (one of which is parent for the other) and 2 iRules that check a data group against the URI list. The client SSL profile (not parent) is attached to virtual server on secure port along with the iRule. The second iRule is checking for the URI in the data group and redirects to https:// and is attached to the non-secure virtual server.
Parent SSL profile is configured with certificate bundle in Client Authentication for both Trusted Certificate Authorities and Advertised Certificate Authorities.
Everything works as expected, but looks complex. I have a feeling the above setup could be put into just one iRule without even having a data group created since there is only one URI that needs to be secured with the client authentication.
I have used the iRule from https://devcentral.f5.com/articles/selective-client-cert-authentication but can't make it work.
when CLIENTSSL_CLIENTCERT {
  HTTP::release
  if { [SSL::cert count] &lt; 1 } {
    reject
  }
}

when HTTP_REQUEST {
  if { [HTTP::uri] contains [string tolower "/secureapi"] } {
    if { [SSL::cert count] &lt;= 0 } {
      HTTP::collect
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      SSL::renegotiate
    }
  }
}

when HTTP_REQUEST_SEND {
  clientside {
    if { [SSL::cert count] &gt; 0 } {
      HTTP::header insert "X-SSL-Session-ID"        [SSL::sessionid]
      HTTP::header insert "X-SSL-Client-Cert-Status"    [X509::verify_cert_error_string [SSL::verify_result]]
      HTTP::header insert "X-SSL-Client-Cert-Subject"   [X509::subject [SSL::cert 0]]
      HTTP::header insert "X-SSL-Client-Cert-Issuer"    [X509::issuer [SSL::cert 0]]
    }
  }
}

Thanks for your time and help!

kevin_stewart · Answer

That code actually just works on a single VIP. You just need the one client SSL profile that also has the Trusted Certificate Authorities option configured and Client Authentication set to "ignore". When the browser accesses the secure site URL, the iRule is forcing an SSL renegotiation and flipping the Client Authentication setting to "require".

kevin_stewart · Answer

Does this iRule require the client cert configured for that /secureApi folder on the web servers then? &nbsp;

It does not. In fact you probably don't want to try to do client cert auth at the web servers at all. &nbsp;

Also, would this iRule work with a cert bundle configured for the Trusted Certificate Authorities option? &nbsp;

You absolutely need a Trusted Certificate Authorities bundle applied to the client SSL profile for mutual authentication to work. It won't be referenced until you actually renegotiate the SSL session and request a certificate from the client.&nbsp;

I have configured the client profile with one cert and am getting ERR_CONNECTION_RESET.&nbsp;

One cert? Are you talking about the certificate and private key selection in the top of the client SSL profile?&nbsp;

kevin_stewart · Answer

You don't use a client cert in the trust bundle. The bundle needs to contain all of the certificate authority certificates that make up the "trust path" from the client's certificate to the self-signed root. So for example, if the PKI looks like this:
client cert  -&gt;  subordinate CA  -&gt;  root CA

then the trust bundle must include the subordinate and root CA certs.

kevin_stewart · Answer

The client will present a client certificate. The client SSL profile must just a) request a client certificate, and b) validate that client certificate.&nbsp;
The first (requesting a client certificate) is handled with the Client Certificate option under the Client Authentication section of the client SSL profile. Set it Require if you want to request a client certificate in the SSL handshake, but fail closed if they don't send one. Set it to Request if you want to request a client certificate in the SSL handshake, but fail open if they don't send one.&nbsp;
The second (validating the client certificate) is handled by the Trusted Certificate Authorities option also in the Client Authentication section. This needs to be a CA certificate, or bundle of CA certificates that the BIG-IP needs to establish a trust chain from the client's certificate all the way to the self-signed root CA.&nbsp;

kevin_stewart · Answer

earlier you wrote that the client SSL profile should have the Client Authentication set to "ignore" and the iRule will flip it to "Require" when the secure URI is accessed.

I did indeed forget the context of the original question. 😉 But yet, because you're flipping that bit in the iRule, the Client Authentication option should be set to Ignore.

Also, it looks like the iRule doesn't detect the URI and the /SecureApi path is accessible, no browser pop-up requesting the client cert.

Well first, you're looking for an exact match against "/myApp/secureapi/myPage". At the very least I'd probably do a "starts_with" and include the base directory for which you want to require a client certificate.
if { [string tolower [HTTP::uri]] starts_with "/myapp/secureapi" }

Forum Discussion

Client Authentication Based On URI

7 Replies

Recent Discussions

redirect not working

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

HIRE ADRIAN LAMO HACKER TO RECLAIM LOST CRYPTOCURRENCY

rSeries and tenant upgrades

cat and grep command for rst messages

Related Content

BIG-IQ Client Certificate (PKI) Authentication

Enhance your Application Security using Client-side signals

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence

OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM