ssl two-way
3 TopicsGenerate logs on two-way client authentication SSL certs expired or close to expiring?
I've been tasked with coming up with a way to monitor client certificate expiration status without the f5 holding the client cert (which obviously would be the easiest way to check cert expiration status). Basically, the clients are external customers that we can't import their private client certs into the f5 to check their expiration status. We currently use an irule to verify the client authentication of their cert, but if it expires we aren't notified (nor is the client) until a while after the cert has expired and someone noticed the connection failures. I've been doing some preliminary research and it appears that through an iRule we can check the expiration date of the cert and possibly send it to a log or syslog for alerts? Ideally, the f5 notification would be two-fold: 1) Log and send an alert when the client cert is less then 30 days to expiration. 2) Log and send an alert when the client cert has expired. Here's the current iRule we're using: when CLIENTSSL_CLIENTCERT { Check if client provided a cert if {[SSL::cert 0] eq ""}{ log "Client Certificate Missing" reject } else { set subject_dn [string tolower [X509::subject [SSL::cert 0]]] set expiration_dn [X509::not_valid_after [SSL::cert 0]] log "Client Certificate Received: $subject_dn --- $expiration_dn" if { ([class match $subject_dn contains progressive_cn_list]) } { Accept the client cert log "Client Certificate Accepted: $subject_dn [SSL::cert count]" } else { log "Client Certificate Mismatch: $subject_dn [SSL::cert count]" reject } } } And I found the following F5 KB on X509 commands, I'm presuming we could use a combination of X509::not_valid_after for expiration, and maybe another conditional check with some sort of X509::not_valid_after < 30 "from_present_date" code to alert when the cert is less then 30 days. Do you guys have any suggestions? Thanks! CH344Views0likes1Comment2-Way SSL Authentication with irules.
I've got a requirement to implement an irule on an vip, which would redirect traffic to another vip on the same LB, based on a simple uri. Easy-peasy, right? However, it turns out that the customer is using two-way SSL authentication. Now this thread( https://devcentral.f5.com/questions/2-way-ssl-implementation-25325 ) was most helpful, but I still have a few questions. 1)The customer's SSL certificate is self-signed. From what I understand, this won't fly, and they must get a certificate with an intermediate cert bundle that can be installed on the F5. Correct? 2)All the modifications take place on the client profile. I need to set Client Authentication to request or require and specify the intermediate cert bundle in this section as well. 3)Can I set a server ssl profile on the originating vip(VIP1). VIP2, doesn't have ssl traffic offloading enabled. 4)If I can't set a server ssl profile on VIP1, what happens to the default traffic will is going to the pool under VIP1?301Views0likes1CommentSSL logging impact on f5?
Hello Experts, I was just curious if there would be any impact on performance of f5 if we enabled SSL logging? I found out hot to do it but I don't want to mess up the entire infrastructure. Please let me know if it will slow the working performance of the f5, affect other VIPs configuration or any error/outage at all. https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html Thank you all, you are the best. R247Views0likes1Comment