Extract CN Field from SSL Client Certificate
Hi Have inherited an APM configuration from a software developer, and been asked by the customer to apply the same technology on an external facing reverse proxy (currently running TMOS/APM 11.5.4) We use the following APM macro to extract the user name from a client SSL certificate. set f1 [mcget {session.ssl.cert.subject} ] set f2 [split $f1 "=" ] set f3 [lindex $f2 1] set f4 [split $f3 ","] set f5 [lindex $f4 0] It works as long as CN is the first field in the data returned by session.ssl.cert.subject, but unfortunately, the externally signed certificate presented by the web browser has the data in a different order: OU=MULTI-ALLOWED OU=XXXXXXX CN=USERNAME The resulting LDAP search macro tries to look up a user called "MULTI-ALLOWED" and fails. We don't have control over the format of the client certificate which we believe will be issued by the customer. How would I ensure that we extract the CN field regardless of its position in the certificate subject field. Would simply changing the search term in the first split command resolve the issue? set f2 [split $f1 "CN=" ] My knowledge of Tcl, UNIX/Linux string manipulation and regular expressions is very limited. I found a reference to session.ssl.cert.cn in the documentation for 10.1.x but it isn't mentioned for later versions. Is it still supported?
TLS Client Authentication from Server SSL Profile
Hi all We have a requirement to enable an outbound (internet) flow from some internal servers. Sitting near the edge of the network is an LTM that will proxy the connection from the servers, and is required to then do TLS mutual authentication (client authentication) to the target server on the internet. In this setup the LTM is, from the internal server's point of view, the server, so we configure a Client SSL Profile. All good. Next the LTM is, from the target server's point of view, a client so we configure a Server SSL Profile. Unfortunately this is not working for us. In the Server SSL profile we have set the Certificate and Key, which is the identity cert of the LTM itself signed by a 3rd party CA using a Web Server template with Client Authentication Key Usage. The logs from the target server (Apache 2.4.7) show the following: [ssl:info] [pid 5260:tid 2999946048] [client 10.128.2.109:58181] AH02008: SSL library error 1 in handshake (server server.com:443) [ssl:info] [pid 5260:tid 2999946048] SSL Library Error: error:140880AE:SSL routines:SSL3_GET_CERT_VERIFY:missing verify message My limited understanding on TLS MA is that the client should send a Certificate Verify message that proves it owns the private key. It appears the LTM is not sending this message which could explain why it is failing. I've tested a similar setup in my lab but bypassed the LTM and sure enough a Windows client does indeed send the Certificate Verify message and the transaction is successful. Any ideas on this one? Thank you.
Client authentication and Pool selection
I want to implement a client authentication solution based on the irule written by Kai (https://devcentral.f5.com/questions/client-authentication-for-specific-uri-52458 ). Here is my irule: when CLIENT_ACCEPTED { set session_cert 0 } when CLIENTSSL_CLIENTCERT { if { $session_cert } then { if { [SSL::cert count] > 0 } then { HTTP::release set session_cert 0 set subject_dn [X509::subject [SSL::cert 0]] } else { reject } } } when HTTP_REQUEST { if { ( [HTTP::uri] contains "/X509" ) } { log -noname local0.debug "Certificate required for: [HTTP::uri]" if { [SSL::cert count] == 0} { log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." set session_cert 1 HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } else { HTTP::header insert W_Subject_dn $subject_dn pool iamintsit.etc_8443_pool } } else { log local0.debug "From [IP::client_addr] go to pool" pool mypool_pool } } The process of the PIV card interaction works fine, however the traffic get stuck at clientssl_clientcert rule once the cert is found! After running a capture I noticed the following error: F5RST: No server selected. So basically F5 cannot find a pool member if it is not defined under default pool. Apparently once the cert is found F5 exits the irule and looks for the default pool. My expectation is to have the HTTP_REQUEST rule re-scanned for the pool selection. Since I would like to control everything within the irule, because I want to add some headers, I cannot define a default pool. thanks for your help. PS: Also I used clientssl_clientcert instead of clientssl_handshake. The latter didn't work.
Dynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. AbdessamadDynamic OCSP and CRLDP check for SSL Client Authentication
Dear, I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled. The client certificates can be signed by any CA in a bundle that is assigned to the profile as well. We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP. There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP. I also read that this is based on the ACA module that has been deprecated. So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible. Thanks a lot. AbdessamadSSL Authentication without Irule
Hello, SOL14783 and link here gave me the idea that we can only verify Client certificate using iRule. Is that still correct with version LTM version 11.x. It looks strange that this feature is not included on GUI. There is the way to verify the client certificate (and not only if the CA is trust) with LTM GUI ?
How to use multiple Trusted Certificate Authorities in the Client Authentication option in SSL profile?
Hello All, We have a scenario where the virtual server needs to authenticate the client and for that we need to configure client authentication under SSL client profile. In our case we have two different types of clients with each using a different certificate. How can I use multiple certificates in the Trusted Certificate Authorities option? Can the LTM use a set of certificates to authenticate the client by trial and error? Regards, Fouad Al JaouniRead SSL certificate from http header?
I am sending 2 SSL certs from my app to the load balancer The standard SSL cert A required client certificate I generated, and put the Authority on the F5 In the SSL profile, I enable "Client Authentication" and everything is happy. However, I have a special case now where I want to send the client certificate to the F5 via a header parameter like: xmlhttp.setRequestHeader('X-Client-Certificate', Certificate_In_Base64); Does anyone know if it's possible for the F5 to accept SSL certificates (specifically the client cert) in a non-standard way like iRule that lets me read it from the http header? Thanks!
Client authentication prompts (SSL profiles)
Hello all, I was wondering if someone facing below issue when client authentication is implemented with SSL profiles. Every thing works fine after below prompts. User certificate prompt appears 4 times in chrome, 2 times in IE and once in Firefox. I am wondering if this has something to do with the browser behaviour ? Regards, Akhtar
