Forum Discussion

DenverRB_326662's avatar
DenverRB_326662
Icon for Nimbostratus rankNimbostratus
Jan 31, 2019

Client Certificate Authentication - QR Codes - Client Request

Hello,

 

I'm a little bit stumped on this one - I have Client Based Certificate Authentication to a VIP and I'm requesting the check via an iRule.

 

The iRule works perfectly fine in a browser. The way most browsers work is I'm able to select the certificate that I want to choose before moving onto and getting forwarded onto the VIP. This is a crappy way in my opinion as to how Client Based Certification should work, I think it should all be passive, browser does a scan of Certs and then passes you onto the VIP if you have the proper Certificate Creds. Maybe their is a way to do a passive check, I just don't know, please provide any input.

 

I think in point this is part of my problem. I have a mobile device with a QR Code. When I scan the QR Code the mobile device does not prompt for a certificate. I don't get a failure of Forbidden on the page post QR Code Scan and I can't determine where my failure is at.

 

I only get this error while using a mobile device, in a regular device with a browser everything works.

 

" - Error using (line 23)"

 

Line 23 in the irule editor is in fact blank.

 

Any ideas on either getting this to Passively check an end user clients cert? or has anyone done QR code Scans with Client Certificate Auth before? Anyone see any issues with the iRule?

 

Thanks,

 

when RULE_INIT {
        set static::debug 1
        set subject_dn ""
}

when CLIENTSSL_CLIENTCERT {
        set subject_dn [X509::subject [SSL::cert 0]]
        if { $subject_dn != "" }{
                if { $static::debug }{ log local0. "Client Certificate received: $subject_dn"}
        }
}

when CLIENTSSL_HANDSHAKE {
    if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0}
}

when HTTP_REQUEST {

    STREAM::disable

    set RequestedURI [string tolower [HTTP::uri]]

        if {[info exists subject_dn]} {

            switch -glob [string tolower [HTTP::uri]] {

                      "/examplesite*" {
                            if { $subject_dn contains "CN=examplesite1" } {
                                  pool EXMAMPLE_POOL1
                                  log local0. "Source [IP::client_addr] has been Subject Certificate Selection  [HTTP::uri]"
                            } else {
                                  reject
                                   log local0. "Source [IP::client_addr] has been rejected:$subject_dn [HTTP::uri]"  
                            }
                        }
                        default {
                                if { $subject_dn contains "CN=examplesite2" } {     
                                      pool EXAMPLE_POOL2
                                        log local0. "Source [IP::client_addr] has been accepted [HTTP::uri]"
                                 } else {
                                      reject
                                       log local0. "Source [IP::client_addr] has been rejected:$subject_dn [HTTP::uri]"  
                                 }   
                            }
            }
        } else {
            HTTP::respond 403 content "Access Denied - Incorect Certificate" "Content-Type" "text/html" "Connection" "Close"
        }
}       



}

3 Replies

  • I was able to stand up some more debugging, but not sure what this would identify the problem to be -

     - Error using  (line 1)     invoked from within "X509::subject [SSL::cert 0]"
    
  • Can you check the following setting in the SSL Client profile under Client Authentication: Advertised Certificate Authorities

     

    Help says:

     

    Specifies that the CAs that the system advertises to clients is being trusted by the profile. The default is None.

     

    This should trigger the browser to automatically send the right certificate.

     

  • It seems that the client didn't provided a certificate. You could add an extra check to your iRule:

     Check if client provided a cert
    if {[SSL::cert 0] eq ""}{
        log local0. "Source [IP::client_addr] didn't provide a certificate; rejected client"
         Reset the connection
        reject
    }