Forwarding of X509 HTTP Header to application after termination of SSL
Hi, I'm fairly new to F5 and was wondering if there was a way to insert part of the x509::subject to the HTTP header. A regular iRule for this would look partly like this when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert CERTSUBJECT [X509::subject [SSL::cert 0]] } } however I would like to just get the 10 digit EDIPI 9999999999 below: Subject CN=John.D.Smith.9999999999,OU=CONTRACTOR,OU=PKI,OU=DoD,O=U.S. Is there a way to do this? Thanks JWhen was SSL mutual authentication introduced to Big-IP?
Hey f5'ers, I have a question around SSL Mutual Authentication. Does anyone know when was mutual authentication introduced to LTM and which version of Big-IP in was introduced with please? We are experiencing some difficulty in establishing a mutually authenticated TLS1.2 session between another organisation's f5 LTM and our NGINX server. We can see their f5 LTM sending a client certificate/signer/root bundle when prompted but our NGINX server is then closing the connection with an ASN1 parsing issue. They are claiming that they have discovered that their version of Big-IP is unable to perform mutual authentication with TLS1.2, but given that we see their client certificate arriving at our NGINX server and WE are closing the connection, that doesn't make sense. I just wanted to clarify when exactly MA was introduced to Big-IP as I've been using it for 6 years now and I imagine it must have been there for ages? Thanks in advance, Peter
Filter on client cert EKU
Is it possible to configure my SSL client profile so it will only request certificates with a particular EKU from Internet Explorer (in my case)? Background: when I currently try to authenticate to the F5 with my smart card based credential, windows (IE specifically) prompts me with its cert dialog box. The problem is that it shows me two of my certificates. Since they have the same CN, they appear identical in the dialog box. Only one of them is my authentication cert and will work. The other one, while present and available for me to pick, will cause the cert auth to fail. I'd like to get rid of this second cert as a selectable option. Any ideas?
How to read "Subject Key Identifier" value form a digital certificate
Hi, I am looking for a way to: 1) read "Subject Key Identifier" value form a digital certificate with an iRule (something like X509::subject [SSL::cert 0]) 2) insert this value into a HTTP header inside the same iRule. While there are many examples available about inserting HTTP headers, I did not find a way how to read "Subject Key Identifier" from a certificate. Help appreciated! Best regards, Srecko
