Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Selective mutual authentication by HTTP::Host

Go to solution
nuovain
Nimbostratus
Nimbostratus

‎28-Apr-2021 09:40

Hi all,

i'm trying to create an irule but i'm stuck, this is the situation:

 

I only have one vip for two clients with different subdomain ( example1.domain.com and example2.domain.com), there is an irule associated with the vip that direct the requests to different pools based on the domain (the ssl profile is one and the certificate include both domains with a wildcard *.domain.com).

Now...one of the clients asked for mutual authentication but i don't know how to implement this with the irule, the problem is that the CA is private and i can not find any parameter for SSL::verify to set the private CA chain.

 

I tried to create a new ssl profile specific for the domain but unfortunally HTTP::Host is not present in CLIENT_ACCEPTED, any idea?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SanjayP
MVP
MVP

‎28-Apr-2021 10:05

You can create new clientSSL profile with SNI option selected with server name added for the domain who needs mTLS and keep wildcard as default for SNI. So VIP would have 2 clientssl profiles (1 existing wildcard + new sni clientssl profile)

In the new, clientssl profile, you can select the mTLS option require and CA of the client certificate to validate it.

You can also add any custom iRule if needed to validate subjectDN of client cert or sending the cert details to the backend (this is optional as per requirement)

​​

View solution in original post

3 REPLIES 3

Go to solution
SanjayP
MVP
MVP

‎28-Apr-2021 10:05

You can create new clientSSL profile with SNI option selected with server name added for the domain who needs mTLS and keep wildcard as default for SNI. So VIP would have 2 clientssl profiles (1 existing wildcard + new sni clientssl profile)

In the new, clientssl profile, you can select the mTLS option require and CA of the client certificate to validate it.

You can also add any custom iRule if needed to validate subjectDN of client cert or sending the cert details to the backend (this is optional as per requirement)

​​

Go to solution
nuovain
Nimbostratus
Nimbostratus
In response to SanjayP

‎28-Apr-2021 12:17 - last edited on ‎24-Mar-2022 01:08 by Fog

Thanks!

just one last question for curiosity: could i set ssl::verify to use a specific CA chain?

0 Kudos

Go to solution
SanjayP
MVP
MVP

‎28-Apr-2021 13:17

SSL::verify_result is used to set the error code after verifiying the client certificate.

[X509::verify_cert_error_string [SSL::verify_result]] is used to provide the actual error message if client certificate is invalid.

 

In order to validate and check client certificate is issued by trusted CA, you would need to use clientssl profile settings. Import the intermediate (Issuer CA) certificate of client certificate in F5. If there are multiple different CA certs, you can import as bundle. And then select that in trusted certificate authorities under client authentication settings of clientssl profile.

 

There is also another way, to verify the CA chain of client certificate in iRule using [X509::issuer [SSL::cert 0]] which will parse the CA certificate, but advisable way is to use clientssl profile setting.

 

0 Kudos
Copyright © 2023 Khoros, LLC