Request client cert auth based on URL

Hi

Your "not" command looks OK to me.  As you are converting to lowercase, are the entries in your data group all in lowercase also?  Have you logged the output of HTTP::uri to ensure that you will get a match?

In regard to a specific CA, have you looked at "Advertised Certificate Authorities" in the SSL profile?  Also, have you seen Rodrigo's great write up on this? - https://community.f5.com/t5/technical-articles/client-ssl-authentication-on-big-ip-as-in-depth-as-it-can-go/ta-p/281020

Hello Marvin.

Personally, I didn't notice any problem with using negate expressions with data-groups. Maybe with this expression:

if { ! ([class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH]) }{

In the other hand, 

---

Marvin wrote:

Another side question is that we would like to perform the SSL::renegotiate and request a specific client cert from a certain CA issuer, how could we accomplish that?

---

You can use "Advertised Certificate Authorities" to select the specific CA issuer.
REF - https://support.f5.com/csp/article/K14783

when using negation operation using NOT, you don't need to use else statment. Remove the else statment and it should work. 

You can't control what client is sending client mTLS certificate, but you can verify if the incoming mTLS cert matches the subjectDN and is from the trusted issuer. You can modify the iRule to parse subjectDN of the cert and match it against the datagroup of known client cert. In the SSL profile, you can use chain of the trusted issuer.

So I adjusted the Irule and is now correctly matching both authentication bypass and the other lower part needs to be authenticated. We receive the popup to select client cert and is provided to F5 (confirmed in wireshark), however there is no header value inserted and not logged as it is empty very strange. In wireshark i confirm that there is only one cert provided to F5.

Perhaps the [SSL::cert 0} command only work when using a clientssl profile with client cert authentication enabled?Is there any way to use the SSL::renegotiate option and retrieve and store the client cert properly?

when HTTP_REQUEST {
if {[class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH] && [HTTP::method] == "POST" && [HTTP::path] == "/nidp/idff/sso"}{

   #HTTP::header insert SSL_CLIENT_CERT [b64encode [SSL::cert 0]]
   log local0. "certificate not inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr] "
   return
}
elseif { [class match [string tolower [HTTP::uri]] contains DG_ACC_CERT_AUTH] && [HTTP::method] == "POST" && [HTTP::path] == "/nidp/idff/sso"}{   
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate enable
SSL::renegotiate
HTTP::header insert SSL_CLIENT_CERT [b64encode [SSL::cert 0]]
log local0. "certificate inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr]"
}
}

So this seems to work however it is only inserted when refreshing the webpage so it needs two consecutive HTTP request, in this use case could work because there are in fact 2 consecutive request first GET then POST with exact same URL, but find it very strange that the HTTP_REQUEST insert header event cannot grab the initial CLIENTSSL_CLIENTCERT. Perhaps this is caused due to the following order:

The matching URL is matched then client cert authentication is negotiated to the client. Then the Certificate is received and stored and is only available for next HTTP request, does that makse sense? Perhaps moving the header insertion to HTTP_REQUEST_RELEASE would fix this.... 

when RULE_INIT {
set static::cert 0
}
when CLIENTSSL_CLIENTCERT { 
if {[SSL::cert count] > 0}{
log local0. "start CLIENTSSL_CLIENTCERT" 
set static::cert [X509::whole [SSL::cert 0]]
log local0. "end CLIENTSSL_CLIENTCERT with cert value $static::cert" }
}
 
when HTTP_REQUEST {
if {[class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{
   log local0. "certificate not inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr] "
   return
}
elseif { [class match [string tolower [HTTP::uri]] contains DG_ACC_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{   
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate enable
SSL::renegotiate
HTTP::header insert SSL_CLIENT_CERT [b64encode $static::cert]
log local0. "certificate inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr]"
}
}

SanjayP, it seems to be working fine with irule I posted no need to change, on the clientssl profile the Renegotiation checkbox is unchecked actually. I have included the advertised and trusted CA in clientssl profile and when the Irule performs the client cert authentication only these issuers certs are requested which is perfect.

As per F5 documentation Renegotiation:

Controls on a per-connection basis how the system responds to mid-stream SSL reconnection requests. When enabled, the system processes mid-stream SSL renegotiation requests. When disabled, the system terminates the connection, or ignores the request, depending on system configuration. The default is enabled.

Should we enable this?