Forum Discussion

JessB_42846's avatar
JessB_42846
Icon for Nimbostratus rankNimbostratus
Aug 11, 2011

Request client cert based on URI access

Hi!

I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1.

I am attempting to develop an iRule that will limit access to certain URIs based upon the client providing a certificate. The trick is users can only be prompted to provide a certificate when they access the specific URI. I've started fresh using the example provided here;

http://devcentral.f5.com/wiki/iRule...ation.ashx

I've obfuscated some data but nothing critical to the running of the iRule. I've also changed the outcome - I just want the PEM encoded cert inserted in the header (processing occurs on the application server).

In its current form - the connection seems to 'hang' which makes me think the HTTP::release isn't happening.

Here is where I am now;

Initialize the variables on new client tcp session.

when CLIENT_ACCEPTED {

set collecting 0

set renegtried 0

}

Runs for each new http request

when HTTP_REQUEST {

if { $renegtried == 0 and [SSL::cert count] == 0 and ( [HTTP::uri] equals "/URI/ClientCert" ) } {

HTTP::collect

set collecting 1

SSL::cert mode request

SSL::renegotiate

}

}

when CLIENTSSL_HANDSHAKE {

if { $collecting == 1 } {

set renegtried 1

HTTP::release

}

}

when HTTP_REQUEST_SEND {

clientside {

if { [SSL::cert count] > 0 } then {

set a variable for the whole cert - cut out the BEGIN and END crap though

set ssl_cert_whole [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0] ] ] "" ]]

log to show we are receiving the cert

log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"

insert the whole cert as a header

HTTP::header insert "X-ENV-SSL_CLIENT_CERTIFICATE" $ssl_cert_whole

} else {

log local0. "Restricted zone. No client cert detected - redirecting."

HTTP::redirect "https://error.com";

}

}

}

Any help would be awesome.

  • i did simple test. hope it is helpful.

    [root@Edelweiss:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.17.17:https
       ip protocol tcp
       rules myrule
       profiles {
          http {}
          myclientssl {
             clientside
          }
          tcp {}
       }
    }
    [root@Edelweiss:Active] config  b profile myclientssl list
    profile clientssl myclientssl {
       defaults from clientssl
       ca file "ca-bundle.crt"
       renegotiate enable
    }
    [root@Edelweiss:Active] config  b rule myrule list
    rule myrule {
       when CLIENTSSL_HANDSHAKE {
      if { [SSL::cert count] > 0 } {
        HTTP::release
      }
    }
    
    when HTTP_REQUEST {
            if {[string tolower [HTTP::uri]] starts_with "/uri/clientcert/" } {
                    if {[SSL::cert count] == 0} {
                            HTTP::collect
                            SSL::session invalidate
                            SSL::authenticate always
                            SSL::authenticate depth 9
                            SSL::cert mode require
                            SSL::renegotiate
                    }
            }
    }
    }
    

    when accessing https://172.28.17.17/

    4 10 1315633001.1229 (0.0159)  C>SV3.1(410)  application_data
        ---------------------------------------------------------------
        GET / HTTP/1.1
        Host: 172.28.17.17
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive
    
        ---------------------------------------------------------------
    4 11 1315633001.1266 (0.0036)  S>CV3.1(500)  application_data
        ---------------------------------------------------------------
    

    when accessing https://172.28.17.17/uri/clientcert/

    4 10 1315632762.4093 (0.0099)  C>SV3.1(425)  application_data
        ---------------------------------------------------------------
        GET /uri/clientcert/ HTTP/1.1
        Host: 172.28.17.17
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive
    
        ---------------------------------------------------------------
    
    4 11 1315632762.4096 (0.0003)  S>CV3.1(24)  Handshake
          HelloRequest
    4 12 1315632762.4102 (0.0005)  C>SV3.1(174)  Handshake
          ClientHello
    4 13 1315632762.4109 (0.0007)  S>CV3.1(94)  Handshake
          ServerHello
    4 14 1315632762.4109 (0.0000)  S>CV3.1(712)  Handshake
          Certificate
    4 15 1315632762.4109 (0.0000)  S>CV3.1(28)  Handshake
          CertificateRequest
    4 16 1315632762.4109 (0.0000)  S>CV3.1(24)  Handshake
          ServerHelloDone
    
  • I'm also receiving a warning in my LTM logs;

    Aug 12 03:00:06 local/tmm2 warning tmm2[13007]: 01260012:4: Self-initiated renegotiation attempted while renegotiation disabled: pr_c_ssl_name-removed 

    which as a warning doesn't concern me much.

  • Here is the Apache code to achieve what I want to do - request a client certificate on specific directory basis;

     

     

    
    SSLVerifyClient require
    SSLVerifyDepth 1
     

     

     

    Is it possible to replicate this behaviour to the F5?
  • Do you have renegotiation enabled on your client SSL profile? What debug logging do you see in /var/log/ltm?

     

     

    Aaron
  • I've enabled 'renegotiation' on the SSL profile - thanks for that Aaron.

     

    Same problem though. The connection doesn't appear to be complete.

     

     

     

    The first example noted here 'http://devcentral.f5.com/wiki/iRule...tiate.ashx' seems to have the same problem. I'm not prompted for a client certificate and the connection never completes.

     

     

     

    Obviously, I've got something wrong somewhere.

     

     

     

    No debug logging in LTM logs - do I need to increase the verbosity or something?