Forum Discussion

adiezma's avatar
adiezma
Icon for Nimbostratus rankNimbostratus
Feb 27, 2023

Verification of a certificate from a CA.

Hi All!,

I need to migrate a virtual server from NGINX to F5 LTM and am not able to get it to work.
It is a web that uses a certificate, which is validated with a CA that is already loaded from my F5.

The NGINX configuration is as follows:

server {
listen 443 ssl;
server_name ssl-************c.es;

# ssl on;
ssl_certificate /opt/cert*****/cert*****c.crt;
ssl_certificate_key /opt/cert*****/******c.key;

ssl_client_certificate /etc/nginx/cert*****/ca_*********e.crt;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/cert*****/cert********.pem;
ssl_ecdh_curve *********;

#XSS
#add_header X-Xss-Protection "1; mode=block" always;

ssl_verify_client optional;
ssl_verify_depth 3;

ssl_session_timeout 10m;

proxy_hide_header Cache-Control;
proxy_hide_header Pragma;

if ($ssl_client_verify = NONE) {
return 303 https://se************?error=no_cert;
}
if ($ssl_client_verify != SUCCESS) {
return 303 https://se************?error=error_cert;
}

When I want to convert this configuration to F5, I use an SSL client profile and an irule.

In the client profile, I have a Certificate Key Chain, to verify the server in browsers.
To authenticate the client certificate, I have the CA set to Trusted Certificate Authorities and Advertised Certificate Authorities. The Client Certificate mode changes depending on the hostname of the url.

The iRule configuration is as follows:

when HTTP_REQUEST {
switch [string to lower [HTTP::host]] {

ssl-**********c.es {

SSL::cert mode request
log local0. "when http request, now renegotiating"
SSL::renegotiate

if {[SSL::cert count] > 0}{
if { [SSL::verify_result] == 0 }{
return
} else {
set error_string "error=error_cert"
}
} else {
set error_string "error=no_cert"
}
if { $error_string ne "" } {
HTTP::respond 303 Location https://s********?$error_string
}

pool POOL_****_ssl-********
#log local1. "SSSSsl-******S, Source IP: [IP::client_addr], URL: [HTTP::host] [HTTP::uri]"
}

When I test the virtual server, the request for the client certificate is successful, the password is requested, but at the end, the request shows an invalid certificate error, as if F5 is not validating that client certificate with the installed CA.

Any ideas?

Thank you so much.

2 Replies

  • The reason to use the irule is because we need to return a result when the certificate is invalid (not signed by the particular CA) or there is no certificate.

    if {[SSL::cert count] > 0}{
    if { [SSL::verify_result] == 0 }{
    return
    } else {
    set error_string "error=error_cert"
    }
    } else {
    set error_string "error=no_cert"
    }
    if { $error_string ne "" } {
    HTTP::respond 303 Location https://s********?$error_string
    }

    Regards