NimbostratusHi All,
Version- TLS Ver- 1.3 and F5 LTM
Is it possible to create an iRule to drop a TCP session if the Client doesn’t provide an acceptable Client Certificate as part of a TLS handshake ?
CumulonimbusHi,
Would the following example be similar to what you are looking for?
https://f5-agility-labs-irules.readthedocs.io/en/latest/class2/module2/lab3.html
You could of course customize it a bit on what you exactly are looking for, and when to reject it, but this should work under TLS1.3 as well. Here are further certificate commands you could use with this; https://clouddocs.f5.com/api/irules/X509.html
Hope this helps.
P.S. In the above example, ignore the section under the RULE_INIT event (debug option) - this is unnecessary in the iRule and has the potential of causing all kinds of other problems.
NimbostratusThanks for the response, this needs to be without the F5 doing TLS termination. The 2 way auth need to be directly between the client and server where F5 LTM will act as TCP pass through, however should be able to check that client using a cert without TLS termination.I was thinking about checking the TLS handshake, as TLS handshake happens before the encrypted message exchange, however TLS handshake does not have client cert it only has cipher suites information.
Do you necessarily need an iRule for this? What about configuring client certificate authentication in the client SSL profile? Check whether this will meet your requirements.
K12140946: Configuring the BIG-IP system to perform two-way SSL authentication
The BIG-IP system supports TLS 1.3 Client Certificate Authentication in 14.1.0.1 and later.
https://my.f5.com/manage/s/article/K10251520
NimbostratusThanks for the response, this needs to be without the F5 doing TLS termination. The 2 way auth need to be directly between the client and server where F5 LTM will act as TCP pass through, however should be able to check that client using a cert without TLS termination.I was thinking about checking the TLS handshake, as TLS handshake happens before the encrypted message exchange, however TLS handshake does not have client cert it only has cipher suites information.
I don't think you will be able to get the F5 to check the client certificate without applying a client SSL profile (with client authentication enabled) to the virtual server.
The solution proposed by AlexBCT would work if you were able to terminate SSL on the F5 (as I believe the CLIENTSSL_CLIENTCERT iRule event requires a client SSL profile)
