Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate
Problem this snippet solves: The following is based on the documentation from Slack of how to authenticate requests from Slack via mutual TLS and pass along the information to a service that is not capable of mutual TLS via a X-Client-Certificate-SAN header. Adapted from: https://api.slack.com/docs/verifying-requests-from-slack#mutual_tls Based on question from: https://devcentral.f5.com/s/question/0D51T00006n6YltSAE/extract-san-from-client-ssl-certificate-insert-into-http-header How to use this snippet: Attach to Virtual Server that has both a HTTP and clientssl profile. The clientssl profile must be configured for "require" or "request" to process the client certificate and use a CA certificate that verifies that it is a trusted certificate. The iRule will replace any headers that are sent by the client. Code : when HTTP_REQUEST { if {[SSL::cert 0] ne ""}{ # extract SAN set santemp [findstr [X509::extensions [SSL::cert 0]] "Subject Alternative Name" 32 ","] # remove DNS: prefix set san [findstr $santemp "DNS" 4] # insert X-Client-Certificate-SAN header HTTP::header replace X-Client-Certificate-SAN $san } else { HTTP::header remove X-Client-Certificate-SAN } } Tested this on version: 11.5Verifying Slack Requests with Mutual TLS
Recently there was a question about how to authenticate requests from Slack via mutual TLS.The following walks through how to configure the BIG-IP to verify the identity of Slack requests and share this information with a backend Slack application. Slack App Slack apps are nifty ways that you can create custom interactions.One example would allow you to create a custom command “/mtls” that would send a command to your own application server and send the response back into your Slack channel. Verifying Slack Requests When a request is sent from Slack to your backend server there are two ways that you can verify the identity of Slack. Verify Signed Requests Use Mutual TLS Signed Requests When Slack sends a request to your application it includes a X-SLACK-SIGNATURE header.Using a 4-step process that is documented, your application can validate each request. Mutual TLS The second option is to use Mutual TLS that is documented , this involves having a trusted proxy that is capable of validating Slack's client certificate. Configuring a BIG-IP to Validate Slack Requests via Mutual TLS To configure the BIG-IP you will need to Install your CA signed certificate that is trusted by Slack Install a CA certificate that was used by Slack to verify their client certificate Configure the BIG-IP to request a client certificate that is trusted by Slack’s preferred CA The outcome of these three steps looks something like the following from the BIG-IP GUI. To share this information with a backend application we use an iRule to follow the guidance from Slack’s documentation as well as add the content of the certificate that is presented by Slack. In Action Once you get the BIG-IP configured you can test out your Slack app (link to Code Snippet of my demo app).I modified the following tutorial . In this example I created the command “/mtls”. When you run the command w/out using the BIG-IP validating the certificate you can see the request, but no information about the X-Client-Certificate-SAN that is used by Slack. Using the BIG-IP to validate the certificate we can see that we can now share this information with the application via the X-Client-Certificate-SAN header that is added by the iRule. More Mutual TLS TLS provides a standard scheme for verifying the identity of Slack in this example. Mutual TLS is commonly used by customers in these types of B2B type of transactions and be a useful scheme for establishing a chain of custody between two parties. Let me know if you can think of other examples where Mutual TLS can be used similar to this example. Thanks for reading! /eric outSample Slack App for testing Mutual TLS with BIG-IP
Problem this snippet solves: This Slack App was used with the following Code Snippet to test Mutual TLS. This code was adapted from: https://api.slack.com/tutorials/tunneling-with-ngrok How to use this snippet: npm install express npm install request node index.js (or whatever you name it) Create a pool that points to the IP:Port where it is running (defaults to listening on 4390). Once you add the app (follow the tutorial from above, but use a different command name like /mtls). Unlike the tutorial you will cover a "real" SSL certificate on the BIG-IP (must be publicly accessible from Slack's servers). Follow-up article with more details will be posted in the future. Code : // Import express and request modules require('dotenv').config() var express = require('express'); var request = require('request'); var querystring = require('querystring'); // Instantiates Express and assigns our app variable to it var app = express(); //app.use(express.json()); app.use(express.urlencoded({ extended: true })); // Again, we define a port we want to listen to const PORT=4390; // Lets start our server app.listen(PORT, function () { //Callback triggered when server is successfully listening. Hurray! console.log("Example app listening on port " + PORT); }); // This route handles GET requests to our root demo address and responds with the same "Demo is working message" we used before app.get('/', function(req, res) { res.send('Demo is working! Path Hit: ' + req.url); }); // This route handles get request to a /oauth endpoint. We'll use this endpoint for handling the logic of the Slack oAuth process behind our app. app.get('/oauth', function(req, res) { // When a user authorizes an app, a code query parameter is passed on the oAuth endpoint. If that code is not there, we respond with an error message if (!req.query.code) { res.status(500); res.send({"Error": "Looks like we're not getting code."}); console.log("Looks like we're not getting code."); } else { // If it's there... // We'll do a GET call to Slack's `oauth.access` endpoint, passing our app's client ID, client secret, and the code we just got as query parameters. request({ url: 'https://slack.com/api/oauth.access', //URL to hit qs: {code: req.query.code, client_id: process.env.CLIENT_ID, client_secret: process.env.CLIENT_SECRET}, //Query string data method: 'GET', //Specify the method }, function (error, response, body) { if (error) { console.log(error); } else { res.json(body); } }) } }); // Route the endpoint that our slash command will point to and send back a simple response to indicate that ngrok is working app.post('/command', function(req, res) { var certSan = req.get('X-Client-Certificate-SAN'); if(certSan) { var cert = req.get('X-Client-Certificate'); var formattedCert = ''; for(i=0;i Tested this on version: 13.0
