cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Client SSL cert Move Traffic To CDN -

igorzhuk
Nimbostratus
Nimbostratus

hi all, i move the app to CDN before the CDN the BIGIP will check the client SSL cert and base on URI allow to access to the site,

(some of uri work without the client ssl, and some uris work only if the client ssl verify),

Now in CDN we can only request (and not required ) the client ssl but not enforce the PKI check - and insert it via HTTP header, 

How i can check if the Client SSL that CDN give me via header trust my CA?

( I don't want to look only for CN because attacker can make a fake client cert with the same CN )?

Does someone have any idea?

5 REPLIES 5

SanjayP
MVP
MVP

Is BIGIP still in the new traffic flow?

client --> CDN --> BIGIP --> Origin server

 

Is yes, I guess you would not cache the uri which needs mTLS (client certificate authentication) at CDN level and that would be forwarded to the BIGIP. If this is the case, you can still use client certificate authentication on BIGIP. Or did I understood it wrong?

 

If BIGIP is not in the traffic flow for CDN and below is the traffic flow

 

client --> CDN --> Origin Server

 

Then you would need to see the option at CDN level to parse the client certificate and extract the values from it e.g. SubjectDN, Issuer, serial number and added in HTTP headers. These can be checked on the origin server for authorisation.

Current state is client --> BIGIP --> Origin Server

today BIGIP make a client cert request and i allow base on uri who can access to some URLs without Cert and some of URLs i Validate Client certificate and allow only if the client cert valid

 

The further state

The Flow will be: client --> CDN --> BIGIP --> Origin server

we will move the (client certificate authentication) at CDN

but in the CDN we can't make (like irule check the Certificate Validation base URI)

we can make a client certificate request and if the client give the certificate inseat the certificate via HTTP header to bigip

 

(the CDN not make a PKI validation of the client certificate) in "Request" mode of the client certificate

the CDN can validate the client cert only if I work in Required mode of client cert - but its not good for us because we allow some of uri that work without CERT

 

now the question is if I BIGIP getting the CERT in HTTP header in base64

how I can validate that is trunst certificate but not only via Subject - I need to validate this is the certificate that my CA is give to client

SanjayP
MVP
MVP

Serial number or thumbprint are also the unique values. Can CDN send those in http headers to BIGIP?

F5 can send all the client cert in base64 to me

but how I can validate in the bigip?

 

i will need to add all SN in the DATAGROUP ? if I generate customer certificate (like attacker) the SN cant be same?

SanjayP
MVP
MVP

Yes. You would need to build the data group of all valid client certificates.when BIGIP receives the ​details of the certificate it would match against the known records and take action if either allow or reject. This needs to be done using an iRule.

Serial number is unique per certificate so if someone try to spoof the certificate also SubjectDN (common name) can be the same but Serial Number won't match.

Following are the unique values of the certificate.

  • SubjectDN and Issuer CA (combination)
  • Serial Number
  • Thumbprint