Passing Client CAC / Smart Card Cert to Application Server
I am reaching to see if anyone has created or come across the most stream line process of passing a Client cert through F5 which then reaches the an Application server. The most important piece of data that needs to reach the server is just the CN (Common Name) I have looked online and come across many iRules but none seems to work. Example: when CLIENTSSL_CLIENTCERT { # Save the first client cert to a variable. Not sure why, but... set ssl_cert [SSL::cert 0] } More or less, I am looking for an iRule that will just do a "Pass through" for the Client cert through the F5 Proxy that would then reach the Application server. Thanks in advance for the help, I have spend a few hours on this as F5 BIG-IP is still very new to me across the board.Solved1KViews0likes3CommentsBIG-IP Proxy SSL 12.1 Handshake Failure
I set up SSL Proxy in order to do client certificate authentication on my IIS web server on LTM 12.1 firmware. The setup is working fine on Firefox version 43, IE 10 and OpenSSL but it fails on Chrome 51, Firefox 47 and IE 11. I've captured the packets. Clients use TLS1 or TLS1.2 using the same ciphersuite of TLS_RSA_WITH_AES_256_CBC_SHA (0x0035), the same process takes place for the passing and failing cases. Client Hello Server Hello, Certificate, Server Hello Done Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 4. 4.1 Either Server sends Change Cipher Spec and then Application Data gets transfered Or 4.2 The server sends Alert level: Fatal, Descrition: Handshake Failure So I suspect the BIG-IP fails to decrypt the handshake sent by the client in some cases but I can't figure out why because there's nothing different between failing and passing tests. ssldump using Firefox 47 (Fails): New TCP connection 1: 192.168.100.125(55041) <-> 192.168.100.231(443) 1 1 0.0027 (0.0027) C>S Handshake ClientHello Version 3.3 cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Unknown value 0xcca9 Unknown value 0xcca8 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.0033 (0.0005) S>C Handshake ServerHello Version 3.3 session_id[32]= d9 0a 00 00 3e 11 22 ac e2 c2 00 f5 9a 41 35 53 43 6a 9e a5 e0 26 32 e4 f8 38 2e ca 72 3c fb 93 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL Certificate ServerHelloDone 1 3 0.0185 (0.0151) C>S Handshake ClientKeyExchange 1 4 0.0185 (0.0000) C>S ChangeCipherSpec 1 5 0.0185 (0.0000) C>S Handshake 1 6 0.0196 (0.0011) S>C Alert level fatal value handshake_failure 1 0.0197 (0.0000) S>C TCP FIN 1 0.0205 (0.0008) C>S TCP FIN New TCP connection 2: 192.168.100.125(55042) <-> 192.168.100.231(443) 2 1 0.0005 (0.0005) C>S Handshake ClientHello Version 3.2 cipher suites Unknown value 0x5600 Unknown value 0xcca9 Unknown value 0xcca8 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 2 2 0.0010 (0.0005) S>C Handshake ServerHello Version 3.2 session_id[32]= 85 48 00 00 8f 2a ae 80 b8 d7 e9 e2 47 c0 15 4e e8 af 69 6f 2d b9 b8 d6 ed d5 29 3c a3 a3 44 b3 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL Certificate ServerHelloDone 2 3 0.0145 (0.0134) C>S Handshake ClientKeyExchange 2 4 0.0145 (0.0000) C>S ChangeCipherSpec 2 5 0.0145 (0.0000) C>S Handshake 2 6 0.0158 (0.0013) S>C Alert level fatal value handshake_failure 2 0.0158 (0.0000) S>C TCP FIN 2 0.0162 (0.0003) C>S TCP FIN New TCP connection 3: 192.168.100.125(55043) <-> 192.168.100.231(443) 3 1 0.0005 (0.0005) C>S Handshake ClientHello Version 3.1 cipher suites Unknown value 0x5600 Unknown value 0xcca9 Unknown value 0xcca8 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 3 2 0.0010 (0.0004) S>C Handshake ServerHello Version 3.1 session_id[32]= aa 41 00 00 04 82 07 3f ed 35 96 49 e2 c5 ba 79 f8 39 5a f2 d2 41 19 33 8e 5b 05 5e 2f d1 ca 24 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL Certificate ServerHelloDone 3 3 0.0141 (0.0131) C>S Handshake ClientKeyExchange 3 4 0.0141 (0.0000) C>S ChangeCipherSpec 3 5 0.0141 (0.0000) C>S Handshake 3 6 0.0155 (0.0013) S>C Alert level fatal value handshake_failure 3 0.0155 (0.0000) S>C TCP FIN 3 0.0165 (0.0009) C>S TCP FIN ssldump using Firefox 43 (Passes): New TCP connection 1: 192.168.100.125(55099) <-> 192.168.100.231(443) 1 1 0.0007 (0.0007) C>S Handshake ClientHello Version 3.3 cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.0012 (0.0004) S>C Handshake ServerHello Version 3.3 session_id[32]= 0f 16 00 00 ec 24 3b 75 10 f0 53 c4 45 d3 df ef 97 91 f0 9a b8 fe c2 98 5d 15 fd 11 ed 2f 55 58 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL Certificate ServerHelloDone 1 3 0.0031 (0.0018) C>S Handshake ClientKeyExchange 1 4 0.0031 (0.0000) C>S ChangeCipherSpec 1 5 0.0031 (0.0000) C>S Handshake 1 6 0.0053 (0.0022) S>C ChangeCipherSpec 1 7 0.0056 (0.0002) S>C Handshake 1 8 0.2922 (0.2865) C>S application_data 1 9 0.3330 (0.0408) S>C Handshake 1 10 0.3337 (0.0006) C>S Handshake 1 11 0.3368 (0.0031) S>C Handshake 1 12 0.3473 (0.0104) C>S Handshake 1 13 0.3473 (0.0000) C>S ChangeCipherSpec 1 14 0.3473 (0.0000) C>S Handshake 1 15 0.3500 (0.0026) S>C ChangeCipherSpec 1 16 0.3501 (0.0001) S>C Handshake 1 17 0.3512 (0.0011) S>C application_data 1 18 0.3779 (0.0266) C>S application_data New TCP connection 2: 192.168.100.125(55102) <-> 192.168.100.231(443) 2 1 0.0008 (0.0008) C>S Handshake ClientHello Version 3.3 resume [32]= b3 15 00 00 94 41 0f d7 0f ce 39 45 82 5e 53 85 b4 4f de 6d 1c f7 23 16 c6 8b bb d6 96 d9 53 c5 cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 2 2 0.0011 (0.0003) S>C Handshake ServerHello Version 3.3 session_id[32]= b3 15 00 00 94 41 0f d7 0f ce 39 45 82 5e 53 85 b4 4f de 6d 1c f7 23 16 c6 8b bb d6 96 d9 53 c5 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL 2 3 0.0012 (0.0000) S>C ChangeCipherSpec 2 4 0.0018 (0.0006) S>C Handshake 1 19 0.3804 (0.0025) S>C application_data 2 5 0.0025 (0.0006) C>S ChangeCipherSpec 2 6 0.0025 (0.0000) C>S Handshake 2 7 0.0033 (0.0007) C>S application_data 2 8 0.0057 (0.0023) S>C Handshake 2 9 0.0062 (0.0005) C>S Handshake 2 10 0.0072 (0.0010) S>C Handshake 2 11 0.0210 (0.0137) C>S Handshake 2 12 0.0210 (0.0000) C>S ChangeCipherSpec 2 13 0.0210 (0.0000) C>S Handshake 2 14 0.0246 (0.0035) S>C ChangeCipherSpec 2 15 0.0246 (0.0000) S>C Handshake 2 16 0.0250 (0.0003) S>C application_dataSolved3.2KViews0likes14CommentsBig IP proxy SSL on multiple Big-IP systems
Hello, There is some information available to implement Proxy SSL on a single Big-IP system where the client SSL profile and Server SSL profile are setup on the same Big-IP. Implementing Proxy SSL on a Single BIG-IP System I have an SSL air gap configuration where one clients connect to one Big-IP and the pool members are on another Big-IP. Can I configure proxy SSL on such a configuration where the client SSL profile exists on machine and the Server proxy SLL profile exists on another machine? Here is the flow of traffic: Client --> SSL VIP on Big-IP 1 --> SSL VIP on Big-IP 2 --> Pool members I am using Big-IP version 12.1.2. Regards, Akmal Zeb206Views0likes1CommentProblem ProxySSL with two pools.
Hi, I have a VS with ProxySSL enabled (profile SSL client and server), and two pools with HTTPS (A_pool and B_pool). I configure the A_pool as default pool in VS and works correctly. But when I change to B_pool, through a iRule, show a error. How can I change the default pool through a iRule? Very thanks.330Views0likes3CommentsProxy SSL and ECC ciphers
So I know that currently Proxy SSL does not support anything other than RSA key exchanges. I don't know if anyone had found any other way to do certificate authentication on the web server while still maintaining ASM inspection. I have an application where we have been restricting it down to RSA key exchanges only in order to use Proxy SSL so that the client cert could still pass to the web server but we could keep ASM inspection of the content. Now we have an issue where we need to turn on ECC ciphers, which will break Proxy SSL inspection and possibly force us to completely bypass ASM inspection. I would prefer not to bypass ASM but not seeing a way around it right now. Any help would be appreciated. Thanks.466Views0likes2CommentsForward client certificate to server in V10 LTM
We have an application which use client certificate for authenticate users. So far we had setup this as SSL pass through mode. But now they want to drop some connection base on specific word on URI, we need to install SSL cert on LB to look into URI. And application team want to see the client cert. I read about PROXY SSL feature to achieve this but look like that is available on V11. But our LB is V10. Can we achieve this on V10 ? Thanks233Views0likes1CommentIssues with Proxy SSL
I have an Active Sync application where we are using the Proxy SSL on an ASM in order to pass client certificate authentication. We have started noticing that when sending messages with attachments bigger than roughly 2.5mb get an error that they are not sent. When tracing the connection and running it through ssldump I see the data packets start flowing from the client to the VIP on the ASM and then mid stream on the data connection I start seeing this in the SSLdump. Those messages go on for a few seconds until the server side closes the connection. There is no block in ASM and nothing in the LTM logs either. I check the ciphers and protocols supported on the server and they are all supported by the ASM. When I remove the ASM and let client talk directly to the server the issue clears up. Has anyone seen this before any thought would be helpful. I am running 11.4.1 HF7 in prod and I did try running it through a 11.5.2 HF1 build I have in my lab and the same issue occurs. 9 111 3.2153 (0.0009) C>SShort record Unknown SSL content type 1 9 112 3.2184 (0.0030) C>SShort record Unknown SSL content type 35 9 113 3.2202 (0.0018) C>SShort record Unknown SSL content type 241 9 114 3.2225 (0.0023) C>SShort record Unknown SSL content type 15 9 115 3.2243 (0.0018) C>SShort record Unknown SSL content type 242 9 116 3.2272 (0.0028) C>SShort record Unknown SSL content type 48 9 117 3.2290 (0.0017) C>SShort record Unknown SSL content type 0 9 118 3.2314 (0.0024) C>SShort record Unknown SSL content type 176 9 119 3.2338 (0.0023) C>SShort record Unknown SSL content type 197 9 120 3.2985 (0.0647) C>SShort record Unknown SSL content type 174 9 121 3.3009 (0.0023) C>SShort record Unknown SSL content type 230 9 122 3.3044 (0.0035) C>SShort record 9 123 3.4143 (0.1099) C>SV90.118(44194) bad MAC Unknown SSL content type 37265Views0likes1CommentEnable/Disable ProxySSL in iRule
Is there a way to enable and disable the ProxySSL feature of an assigned client or server SSL profile within an iRule? I have a virutal server that hosts many different application. Pools and whether or not a serverside SSL profile is required are assigned based on URI. All site except one have SSL terminated at the BIGIP. However, one not only requires server side SSL but also requires that the client certificate be passed through to the server for authentication. ProxySSL requires that both the client and server SSL profile have the feature turned on, but when I assign the profile to the virtual server the sites that don't need server side SSL stop working. Any help would be appreciated.267Views0likes3CommentsProxySSL - tracking the client
Consider the following scenario: A virtual server is defined with a ProxySSL rule to inspect traffic before passing the stream to another virtual server. Question: If a connection is inspected, then rejected by the ProxySSL VS for some reason, is there any way to associate the connection with a client other than source IP? Is there any way to determine the client certificate or the SSL session ID in the ProxySSL VS?279Views0likes2Comments