Technical Forum
Ask questions.
Discover Answers.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- DevCentral
- Technical Forum
- Extract SAN from Client SSL Certificate & Insert i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
10-Jul-2019
06:58
- last edited on
01-Jun-2023
14:55
by
JimmyPackets
Hi folks,
I'm working with some co-workers to setup some Slack.com forwarding in our environment. Mutual TLS and the insertion of the SAN from the client certificate into a HTTP header is a requirement. Can anyone help me come up with an iRule or LTM Policy to extract the SAN/CN from the client SSl cert and insert it as a HTTP header? Here's some additional info from Slack:
Configure your TLS-terminating server to request client certificates. Your server should accept client certificates issued by DigiCert SHA2 Secure Server CA, an intermediate CA under DigiCert Global Root CA. These CAs are included in many standard CA certificate bundles.
1- Extract either of the following fields in the certificate.
Subject Alternative Name: DNS:platform-tls-client.slack.com. By RFC 6125, this is the recommended field to extract.
or Subject Common Name: platform-tls-client.slack.com.
2- Inject the extracted domain into a header, and forward the request to your application server. Here's an example header you might add to the request: X-Client-Certificate-SAN: platform-tls-client.slack.com. Whatever you choose to call your header, check to make sure this header hasn't already been added to the request. Your upstream application server must know that the header was added by your TLS-terminating server as part of the Mutual TLS process.
Solved! Go to Solution.
Labels:
- Labels:
-
Application Delivery
-
Security
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
28-Aug-2019
06:12
- last edited on
01-Jun-2023
14:48
by
JimmyPackets
When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
set tmpcn [X509::subject [SSL::cert 0]]
set cn [findstr $tmpcn "CN=" 3]
HTTP::header replace X-Client-Certificate-SAN $cn
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}My test results.
curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}Here's what my config looks like.
ltm virtual test_vs {
creation-time 2019-08-27:10:03:53
destination 192.168.1.200:pcsync-https
ip-protocol tcp
last-modified-time 2019-08-27:10:20:58
mask 255.255.255.255
pool slack_pool
profiles {
http { }
mtls_clientssl {
context clientside
}
tcp { }
}
rules {
slack2
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 3
}
ltm profile client-ssl mtls_clientssl {
app-service none
authenticate-depth 0
ca-file f5ca
cert-key-chain {
default {
cert default.crt
key default.key
}
}
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain true
peer-cert-mode require
}
ltm rule slack2 {
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
# extract SAN
set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
# remove DNS: prefix
set san [findstr $santemp "DNS" 4]
# insert X-Client-Certificate-SAN header
HTTP::header replace X-Client-Certificate-SAN $san
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}
}
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
10-Jul-2019 11:14
I created the following codeshare example that does what is required to generate the X-Client-Certificate-SAN: https://devcentral.f5.com/s/articles/Slack-Mutual-TLS-Recipe-Adding-X-Client-Certificate-SAN-header-...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
27-Aug-2019 09:29
Hi Eric,
Our application owners have finally gotten around to testing this and we are running into a slight problem. The header is getting inserted, but is including this full value which seems to be breaking things:
platform-tls-client.slack.com X509v3 Key Usage: critical Digital Signature
...do have any suggestions on how to remove the extra info in the value?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
27-Aug-2019
10:26
- last edited on
01-Jun-2023
14:48
by
JimmyPackets
Can you send me a sample of your iRule? It is "weird" that it is grabbing that extra information. If you have a way to dump a copy of the Slack cert it would help. Here's my "test" cert that I have been using.
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIUWzmeqJiZXLywAc2KXLDkQpdGX1wwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
DTE5MDcxMDE2MjUwMFoXDTI0MDcwODE2MjUwMFowKDEmMCQGA1UEAxMdcGxhdGZv
cm0tdGxzLWNsaWVudC5zbGFjay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCzuteu/69oCkhHe7gmyqo+m3BIs73WN419bKt0piYL/qkq6jkZydjq
5cq0Ne/6og9tXvzwX/B00+kyuccq0kv+lBFXSvO6N4mx5CZCWBmGGcEqCQ82lTwZ
B9SE7vsk1kG9WxxMR3M65fEC6mzPNpy7SDj33pGnkpwkmDbvGY45uqYWG8oRxUEV
wfU+HkjkuK6Ny9Ag5n+2naDblkpVfebEXaFqzjdUyuRL8ACpX2u9TW9H6crt08Gc
rNctNwS5HWuntf9XaMFUQeesnCTggfCRvQkFr4D3AalpZGEuBC7mp8CJhG7gFLbz
zzwdK+i+q9Q/FDMts3F067Rb9/AYi7CfAgMBAAGjgaowgacwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT19sITL/5oD6wi+PTEI/XSA0dwnDAfBgNVHSMEGDAWgBRkzB44
eEQlLGaY1CwbuiVRM/cPijAoBgNVHREEITAfgh1wbGF0Zm9ybS10bHMtY2xpZW50
LnNsYWNrLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEADPscLML2jmY6byf306FVmtUV
YT/2COAEySdGbmXm2rAeuINyFCOypNg/RhBIi9WyicicHVFjpskVizli+Qaom90h
L1g7MbMhqGL6jUGp81+L4ZJDlQXeJSDu9/KPg1FdiJdK/fe0kQoFFU7ENAjUpclt
7tYtlSQ6idVESZOzPk1Fu7/YCMtiWKNBPnF13fic4rF9Rg/wnX/Ct2Ji/WUSiQ/2
9gZX+YHPm3qm4DFn2fJV6gFKurWyClIai0AX1/+C4rpUJvWi2U/CElAcy4YNm7Vv
ON34sdFIMmfwLksKvA5AuNXFLefc7x/5PaBsDF26syv+NkVcyMjoiQ2T9QtoAQ==
-----END CERTIFICATE-----and my test CA
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUSpuabxnXu19oLF0fLKu17PNAtqEwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X
DTE4MDQyMDA2NDMwMFoXDTIzMDQxOTA2NDMwMFowWTELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1
IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA5B7v5d/xsEWcmLfhtHDZAE8vAn3qmiEMLT5lFSdxzCg6h0JkqeDF
iv50OGW00h2almjgEDMW+ldmjW+bSlWz5kpqdmzTXLnmw6/UN4Da+8odsw0abplS
6DNz/xjWcdw4YiLFY167AmtDUNXaJ/jTBAgWGYJy/rl2u1vpi1CWiJozpR/g/Jsb
bAxPXG54ZZi2yUbCVh12DmjAqBfU3LFCvvOQHYyjCon76sLnXifrWSjb8EOVJZc8
Vw3IdRq0vf74Q62RgQXNAd1G5hme7kl/RdrrWqxlxCK8XXU2RSVnAX5baVxY/HC0
lvXKsfFbJec+DkTAaZLZN4KJLfkvoylLXQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZMweOHhEJSxmmNQsG7ol
UTP3D4owHwYDVR0jBBgwFoAUZMweOHhEJSxmmNQsG7olUTP3D4owDQYJKoZIhvcN
AQELBQADggEBAN0914undNu7bLOk+wVOTvfkL14jAoRCmv/rQBwvJoWNuU7d7TKk
D0SZ/GME8kNg9RIAY/POCTiISrORIkoMwt4eLv0bDejualvJ7MwqOvgdFby6BuGg
5dVioFfcwQA/i4L0smHX8QY+w8+RlD7DZnHKcx/C7sPHCkrqmLYLDQSalvv8KgwF
mBB/SBS/yACKpaJPCC3Vlj7aPt5aS6GmH25LpAeDM7LLrDHLj+osLbhkGou0ifYy
8RelfbJlI37NjVMJRWF1EsuSG0xYJPFg9/nqM6UPUHxLx+MmSJ6ibBj6MF6cYkKQ
5Okq/kt3E65/mPltGVmGYPFzwfqLIJFx13E=
-----END CERTIFICATE-----Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
27-Aug-2019
11:35
- last edited on
01-Jun-2023
14:48
by
JimmyPackets
Certainly. Here's the iRule:
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
# extract SAN
set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
# remove DNS: prefix
set san [findstr $santemp "DNS" 4]
# insert X-Client-Certificate-SAN header
HTTP::header replace X-Client-Certificate-SAN $san
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}...and here's the cert:
-----BEGIN CERTIFICATE-----
MIIGxDCCBaygAwIBAgIQBTuMAryoimCObRlbLqMDMDANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwNjI3MDAwMDAwWhcN
MjEwNzAxMTIwMDAwWjCBjzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRv
MREwDwYDVQQHEwhMYWtld29vZDEiMCAGA1UEChMZRmlyc3RCYW5rIEhvbGRpbmcg
Q29tcGFueTEXMBUGA1UECxMOV2ViIE9wZXJhdGlvbnMxHTAbBgNVBAMTFHNsYWNr
LmVmaXJzdGJhbmsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wn4vUEkwwaXq5pkCUKlsZpCvucrBG9ut8zL4StVWwbFAx4nkdCR7VYusUAhgr4Sl
z16iRk/CC9haT3lJO8QpxY32Fy+F0i4DE2sTRu3zYy5pxV68yr1VNh2tKbkaqSQD
TVwid+/PYjo1z7eoB85qH51CZKTkqf0qKPaDNnXytvmmoMSOTNiA47nmAS9Ho2ph
TQxO4lQ/aYV2pLJxflx5zEHf0gWmej727ayT/bbFWQHo46MCm/e9ATT0hBFB/1FC
wwyOsgG+zZoMvatoGiwD3szVaSdqaf5gl3egjZdpIgGzUePmPeVrNlDIfdYL7da5
kFRusukJ3tWWOWqwPd5tMwIDAQABo4IDWzCCA1cwHwYDVR0jBBgwFoAUD4BhHIIx
YdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFBorhc2cX34dOGaQ+ywCAMC684IlMB8G
A1UdEQQYMBaCFHNsYWNrLmVmaXJzdGJhbmsuY29tMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4Yp
aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuG
KWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1Ud
IARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRp
Z2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRw
Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVy
Q0EuY3J0MAwGA1UdEwEB/wQCMAAwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB2
ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABa5nKiZgAAAQDAEcw
RQIhAMX3+WUefc7OLTV2KfybQJC+rrtS75LvMcOdxerfLNfmAiBYGbDiTmGMnADn
GReei6G26xhrkbonnEoM8D2BCgIHSwB1AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1
YMG06v9eoIMPAAABa5nKhcEAAAQDAEYwRAIgDgInNAmwRJYX5BxQwCrduwtdC9rt
EkVCupV/qUBZWJACIA0/Y61nvK1RxM74vGKKNU5iCl3ty5O26GCnmkBZvCl1AHUA
RJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFrmcqE1QAABAMARjBE
AiBXCan4X5ODJdgTBG/zPgK4/YqJAW/IC8Sb3oskOkUwkgIgEF9bbej6NUMc26aA
KZVMza8zyKmgO+P0SRm8L34ZNpgwDQYJKoZIhvcNAQELBQADggEBALCU8N/sGGei
poeCutDWeSFUwUpPg1fWFgHmhLsCs+2BfSFyn/5fnyL+2JkM/haNpllyiiKBOwuw
tVAuXLIljyXmVtmTnTzWiWOeGgAS2q8DhzBDMgiOmrbKP4HW95a8LQQD8b95QMvF
D59+q77piBxwH8Qa3BQVMlI34/ATrWz3XSgJR7BPx7BH3unfSkV+KHqWVd1dIMyZ
3RcMdBwK/Fn2dDDaLyjubzGPJcnMQWP6CbC5iyGR/kzrtAzTfvplBzJ/f1+VHLL2
F3H/rajvB2ZCNO9OPrwpXuj1AWlXixKU6F9OLVObdyuz5SLex7SZnhjUayfkgjLH
f/SROV7gsGs=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
28-Aug-2019
06:12
- last edited on
01-Jun-2023
14:48
by
JimmyPackets
When I apply that iRule my test cert works. Not sure why your environment is different. Here's an alternate iRule you could try.
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
set tmpcn [X509::subject [SSL::cert 0]]
set cn [findstr $tmpcn "CN=" 3]
HTTP::header replace X-Client-Certificate-SAN $cn
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}My test results.
curl -k --cert ./platform-tls-client.slack.com.crt --key ./platform-tls-client.slack.com.key https://192.168.1.200:8443/headers.json
{"User-Agent":"curl/7.29.0","Host":"192.168.1.200:8443","Accept":"*/*","X-Client-Certificate-SAN":"platform-tls-client.slack.com"}Here's what my config looks like.
ltm virtual test_vs {
creation-time 2019-08-27:10:03:53
destination 192.168.1.200:pcsync-https
ip-protocol tcp
last-modified-time 2019-08-27:10:20:58
mask 255.255.255.255
pool slack_pool
profiles {
http { }
mtls_clientssl {
context clientside
}
tcp { }
}
rules {
slack2
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 3
}
ltm profile client-ssl mtls_clientssl {
app-service none
authenticate-depth 0
ca-file f5ca
cert-key-chain {
default {
cert default.crt
key default.key
}
}
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain true
peer-cert-mode require
}
ltm rule slack2 {
when HTTP_REQUEST {
if {[SSL::cert 0] ne ""}{
# extract SAN
set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","]
# remove DNS: prefix
set san [findstr $santemp "DNS" 4]
# insert X-Client-Certificate-SAN header
HTTP::header replace X-Client-Certificate-SAN $san
} else {
HTTP::header remove X-Client-Certificate-SAN
}
}
}Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
17-Sep-2019 13:13
Hi Eric,
Apologies for the delayed response. We used the alternate rule you provided and it is working perfectly. Thank you so much for all your help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
17-Sep-2019 13:19
Excellent! FYI, I used your question for an article: https://devcentral.f5.com/s/articles/Verifying-Slack-Requests-with-Mutual-TLS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
10-Jul-2019 12:41
Thank you so much Eric! I really appreciate it.
Best wishes,
Alan
Related Content
- ASM vs to APM vs and client certificates in Technical Forum
- Hi I am looking for some help with an irule that can call out to an api in Technical Forum
- F5 automation in Technical Forum
- Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors in Technical Forum
- NGINX vs. iRule - Client certificate validation based on URI and other things in Technical Forum
