Forum Discussion

polevoym's avatar
polevoym
Icon for Nimbostratus rankNimbostratus
Nov 12, 2014

Looking for an Irule to enforce ssl client authentication and then pass ssl certificate details to the backend server

Hi I used the below irlue: when CLIENTSSL_CLIENTCERT { log local0. "start CLIENTSSL_CLIENTCERT" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] log local0. "end CLIENTSSL_CLIENTCERT" }

 

when HTTP_REQUEST { log local0. "start HTTP_REQUEST, uri is [HTTP::uri]" if { [HTTP::uri] eq "/server.htm" } { log local0. "/server.htm detected!" if { [SSL::cert count] == 0} { log local0. "no certificate found... force SSL" SSL::cert mode require SSL::renegotiate log local0. "end HTTP_REQUEST" } } else { log local0. "certificate found!" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] HTTP::header insert CLIENTSSL_Status [SSL::verify_result] HTTP::header insert CLIENTSSL_StatusString [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert CLIENTSSL_CN $pkiSubject HTTP::header insert CLIENTSSL_SSLIssuer $pkiIssuer HTTP::header insert CLIENTSSL_SSLClientCertSN [X509::serial_number $the_cert] HTTP::header insert CLIENTSSL_Cert [b64encode $the_cert] } }

 

I get request to provide certificate while requsting server.htm, but the header are not inserted on the get request forwarded to the server. I run tcpdump and get the below: ..P.......GET /server.htm HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US,he-IL;q=0.7,he;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 192.168.3.100 If-Modified-Since: Tue, 28 Oct 2014 21:19:37 GMT If-None-Match: "120851-14-50682345b18a4" Connection: Keep-Alive

 

I'm using LTM 11.4

 

how can I resolve the problem?

 

application delivery
devops
iRules
LTM

6 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 13, 2014

    Apologies, we've gone from no spam filters to rather over the top ones here on DC it seems, so had to split it up.

     

  • Thomas_Schockae's avatar
    Thomas_Schockae
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2014

    Hi Michael,

    If you want to do Client Certificate Authentiation 'always' for a virtual server, you can modify the client-ssl profile you're using to achieve as much. The setting is called 'Client Certificate' and should be set to 'require'.

    Make sure to also upload the chain for valid certificates and select it in the 'Trusted Certificate Authorities' and 'Advertised Certificate Authorities' picklists.

    This way, you can simply use the following iRule to achieve your goal:

    when HTTP_REQUEST {
    HTTP::header insert "SSL_CLIENT_CERT" [X509::whole [SSL::cert 0]]
}

    This differs from your iRule in that it doesn't use the iRule to renegotiate the connection to make sure the client sends a certificate. If, however, you want to only request/require a client certificate for specific URLs, you're going to need something down the lines of your iRule , or you're going to need the APM module with the 'OnDemand Certificate Auth' buildingblock.

    Kind regards,

    Thomas

  • tnaumovs_375792's avatar
    tnaumovs_375792
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2019

    This is not an answer but a comment: Just note that the solution using ‘insert’ contains a vulnerability where the cert header info can be manipulated. To correct use 'header replace'

     

    Ex. HTTP::header replace SSLClientCertSN [lindex $session_data 2]