F5 requires certificates for other URI paths

Question

Hi,&nbsp;
We have our virtual server almost ready to be tested by our teams' consumers but we are running into this issue lately.&nbsp;
In Local Traffic  ››  Profiles : Protocol : HTTP Class  ››  ddTestHTTPClass
I have:
host name = collector.api.devabcdcentral.com
Match Only URI paths (pattern string) = /collector/items*&nbsp;
So, curl of this type works but a simple health check on the resource also asks for certificates which is not what we want&nbsp;

curl -i https://collector.api.devabcdcentral.com/collector/items -F filedata=@abcd.txt -v --key certs/key.pem --cacert certs/ca.pem --cert certs/client.pem&nbsp;

Is there a way to configure requiring certificates only for a particular URI path?&nbsp;
Output for configured service requiring certificate -&nbsp;

$ curl -i https://collector.api.devabcdcentral.com/collector/items -F filedata=@abcd.txt -v --key certs/key.pem --cacert certs/ca.pem --cert certs/client.pem 
* About to connect() to collector.api.devabcdcentral.com port 443 (0)
*   Trying 10.162.143.19...
* connected
* Connected to collector.api.devabcdcentral.com (10.162.143.19) port 443 (0)
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: certs/ca.pem
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*        subject: C=US; ST=Missouri; L=Kansas CIty; O=ABCD Corporation; CN=*.api.devabcdcentral.com
*        start date: 2013-02-25 17:23:45 GMT
*        expire date: 2015-02-26 00:57:04 GMT
*        subjectAltName: collector.api.devabcdcentral.com matched
*        issuer: C=US; O=Entrust, Inc.; OU=www.entrust.net/rpa is incorporated by reference; OU=(c) 2009 Entrust, Inc.; CN=Entrust Certification Authority - L1C
*        SSL certificate verify ok.&nbsp;

POST /collector/items HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: collector.api.devabcdcentral.com
Accept: /
Content-Length: 5370
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------ae2563cae974&nbsp;
&lt; HTTP/1.1 100 Continue
HTTP/1.1 100 Continue&nbsp;

&lt; HTTP/1.1 201 Created
HTTP/1.1 201 Created
&lt; Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
&lt; Vary: Accept-Encoding
Vary: Accept-Encoding
&lt; Content-Length: 0
Content-Length: 0
&lt; Date: Tue, 17 Sep 2013 16:08:43 GMT
Date: Tue, 17 Sep 2013 16:08:43 GMT&nbsp;
&lt; 
* Connection 0 to host collector.api.devabcdcentral.com left intact
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):&nbsp;

Output for health check that requires certificate -&nbsp;

$ curl https://collector.api.devabcdcentral.com/collector/health -v
* About to connect() to collector.api.devabcdcentral.com port 443 (0)
*   Trying 10.162.143.19...
* connected
* Connected to collector.api.devabcdcentral.com (10.162.143.19) port 443 (0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure&nbsp;

what_lies_bene1 · Answer

Certificates only relate to host names (FQDNs) not URIs so no you can't configure SSL/TLS for specific URIs; SSL/TLS occurs before the HTTP request is sent. &nbsp;
I'm not sure I understand around your health monitor. Why not just use the same parameters as the first curl command in your question? How does either curl string relate to the F5's health monitoring?&nbsp;

dd007_132137 · Answer

Without F5 in picture, we have our own health check endpoint like this:
http://bigdataeng02.northamerica.abcd.net:6001/collector/health

Now, the new endpoint I am working on is at
http://bigdataeng02.northamerica.abcd.net:6001/collector/items

where
http://bigdataeng02.northamerica.abcd.net:6001

is my pool member with F5 virtual server (host name = collector.api.devabcdcentral.com)
So, we want F5 to route all the traffic that hits
https://collector.api.devabcdcentral.com/collector/items

to go through certificate validation via F5 but not anything else
e.g.
http://collector.api.devabcdcentral.com/collector/health

From your comment, is that not possible with F5?

stephanmanthey · Answer

If you are terminating SSL on your virtual server it will do the handshake incl. presenting the server certificate to the client and key negotiation and finally forward the received request to an internal server (your poolmember).&nbsp;
You are able to reply to a client´s request directly from a virtual server without forwarding it to one of the servers in your pool. This can be done for specific URIs (i.e. /collector/health). But requests to /collector/items should be forwarded to poolmember.&nbsp;
Is it this, what you try to accomplish?  &nbsp;

kevin_stewart · Answer

Can I assume that your cURL script is external to the F5 and it's hitting the one VIP (https://collector.api.devabcdcentral.com) with different URIs? As others have stated, SSL happens BEFORE HTTP, so there's really no way to enable/disable client side SSL based on the HTTP request URI. There are a few options though:&nbsp;

Move your health check to the F5 with an external monitor. The F5 can issue the health checks and report its findings, and/or control the availability of pool members.&nbsp;

Create TWO VIPS: one for HTTP and one for HTTPS, and a set of iRules that filters on the HTTP requests. Only allow requests to /collector/health on the HTTP VIP and redirect everything else to the HTTPS VIP.

Forum Discussion

F5 requires certificates for other URI paths

4 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Reminder: MFA now required to log in to DevCentral

Re: Management Certificate

CNAME redirection to GTM certificate SAN requirement

DevCentral to Require Multi-Factor Authentication for Account Login from September 26

Automate Let's Encrypt Certificates on BIG-IP