Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Jun 04, 2014

Turn off client auth if uri equals

Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.

register: https://5.5.5.5:5443/register (1-way ssl) (get the cert)

service: https://5.5.5.5/service (2-way ssl) (use the cert)

We have a registration VS and a service VS. Both VS's have their own client ssl profile (no server profile). Below are the differences in the ssl profiles:

I am tasked with getting rid of port 5443 and making it so that customers can both register and hit the service on port 443/https. The majority of the traffic comes in on 443 with the occasional new customer registering first on 5443. The VS's point to different pools. We are running BIG-IP 11.3.0 Build 2806.0 Final.

With that being said, I'd like to make the 2-way ssl profile the default and turn off client auth if uri equals "/register". Here is what I have so far...

when HTTP_REQUEST {
     Turn off client auth for registration requests
    if { [HTTP::uri] contains "/register" } {
      SSL::cert mode ignore
      SSL::renegotiate enable
      SSL::renegotiate
      pool registration-pool  
      return
    } elseif { ([SSL::cert count] > 0) && ([HTTP::uri] contains "/service") } {
     scrub header
      HTTP::header remove chain
      HTTP::header remove client
      HTTP::header remove testCert
      HTTP::header remove ClientCert-Subject
      HTTP::header remove SSLClientCertSubject
      HTTP::header remove SSLClientCertThumbprint
       insert cert subject
      HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]
    } else {
      drop
    }
}

Concerns:

  • When to use "return" and "SSL::renegotiate"
  • Security (ssl renegotiate vulnerabilities)
  • Do I need to set variables?

Very grateful for any help on this. Thanks.