Client SSL cert Move Traffic To CDN -

Question

hi all, i move the app to CDN before the CDN the BIGIP will check the client SSL cert and base on URI allow to access to the site,

(some of uri work without the client ssl, and some uris work only if the client ssl verify),

Now in CDN we can only request (and not required ) the client ssl but not enforce the PKI check - and insert it via HTTP header,

How i can check if the Client SSL that CDN give me via header trust my CA?

( I don't want to look only for CN because attacker can make a fake client cert with the same CN )?

Does someone have any idea?

sanjayp · Answer

Is BIGIP still in the new traffic flow?

client --> CDN --> BIGIP --> Origin server

Is yes, I guess you would not cache the uri which needs mTLS (client certificate authentication) at CDN level and that would be forwarded to the BIGIP. If this is the case, you can still use client certificate authentication on BIGIP. Or did I understood it wrong?

If BIGIP is not in the traffic flow for CDN and below is the traffic flow

client --> CDN --> Origin Server

Then you would need to see the option at CDN level to parse the client certificate and extract the values from it e.g. SubjectDN, Issuer, serial number and added in HTTP headers. These can be checked on the origin server for authorisation.

igorzhuk · Answer

Current state is client --&gt; BIGIP --&gt; Origin Servertoday BIGIP make a client cert request and i allow base on uri who can access to some URLs without Cert and some of URLs i Validate Client certificate and allow only if the client cert valid&nbsp;The further stateThe Flow will be: client --&gt; CDN --&gt; BIGIP --&gt; Origin serverwe will move the (client certificate authentication) at CDN but in the CDN we can't make (like irule check the Certificate Validation base URI) we can make a client certificate request and if the client give the certificate inseat the certificate via HTTP header to bigip &nbsp;(the CDN not make a PKI validation of the client certificate) in "Request" mode of the client certificate the CDN can validate the client cert only if I work in Required  mode of client cert - but its not good for us because we allow some of uri that work without CERT &nbsp;now the question is if I BIGIP getting the CERT in HTTP header in base64 how I can validate that is trunst certificate but not only via Subject - I need to validate this is the certificate that my CA is give to client

sanjayp · Answer

Serial number or thumbprint are also the unique values. Can CDN send those in http headers to BIGIP?

igorzhuk · Answer

F5 can send all the client cert in base64 to me

but how I can validate in the bigip?

i will need to add all SN in the DATAGROUP ? if I generate customer certificate (like attacker) the SN cant be same?

sanjayp · Answer

Yes. You would need to build the data group of all valid client certificates.when BIGIP receives the details of the certificate it would match against the known records and take action if either allow or reject. This needs to be done using an iRule.

Serial number is unique per certificate so if someone try to spoof the certificate also SubjectDN (common name) can be the same but Serial Number won't match.

Following are the unique values of the certificate.

SubjectDN and Issuer CA (combination)
Serial Number
Thumbprint

Forum Discussion

Client SSL cert Move Traffic To CDN -

5 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Passing Client CAC / Smart Card Cert to Application Server

Selective Client Cert Authentication

iRule to accept client then SSL cert validation

fellow traffic

Client Cert validation