R_Marc
Jun 13, 2014Nimbostratus
iRules MSSL client cert detection
Problem: I have an SSL mutually authenticated web service. The BigIP is serving only as a TCP load balancer. The BigIP is in one arm mode. I need to identify the client IP with a client cert/identity.
This worked, though I'm sure it's a horrible hack of code:
when CLIENT_DATA {
if { [string tolower [TCP::payload]] contains "users" } {
set s [TCP::payload]
regsub -all {[\u0000-\u001f\u007f]+} $s "" s
regsub -all {[^\u0020-\u007e]+} $s "" s
regsub -all {[^a-zA-Z0-9\. ]} $s "" s
log local0. "$s [IP::client_addr] [LB::server addr]:[LB::server port]"
}
TCP::release
TCP::collect
}
when LB_SELECTED {
log local0. "-"
TCP::collect
}
In my case, the client certs all have an OU with "users", which is why I'm searching for that.
the output looks like (output edited for your protection):
Jun 13 04:08:29 bip info tmm11[14332]: Rule /Common/get-client-cert-rule : 00Em05FX20H010dcom10dcompany10UCompany10USomething10USubordinate CA0120329144554Z160328144714Z010dcom10dcompany10dips1402UCompany External Web Service10Uusers10U900617.KeyClientCustTest00H0b.SUwzMN2xaaA8ACdKSybNurwMdoJDL217foWfi1i9gVTyfSQ0YENSAfG2.cT. e00U0CxKeSUMz0U00U 00H003httpcertificates.company.comCPS000Company0The Company Certification Practice Statement governs this certificate and is incorporated by reference herein. Limited Liability0CU008642httpblah.company.comPRDCRLEXCCRL.crl0U00U0HB0UyqhL90HJXsw.ZAwhxK2ANjN8BrXI9U Asdvq 10.0.0.1 10.0.1.2:443
I'm open to better ways of doing this.