Forum Discussion
naladar_65658
Mar 23, 2010Altostratus
You might try this iRule, line for line it matches the code in the URL that I posted, but I added the to log local0 lines so that you can check the output via your BIG-IP logs. Granted I haven't had a chance to test it myself, but you might give it a spin and see if it works for you.
when RULE_INIT {
set allzeros [string repeat "0" 64]
}
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sid [SSL::sessionid]
if { $sid ne $::allzeros } {
If this SSL session will be cached, then it may be
resumed later on a new connection. Cache the cert
in the session table in case that happens. Because ID's
are not globally unique, the session id needs to be combined
with something from client address to avoid mismatch.
set key [concat [IP::remote_addr]@$sid]
session add ssl $key $cert 180
}
}
when HTTP_REQUEST {
if { [info exists cert] } {
set sn [X509::serial_number $cert]
} else {
set sid [SSL::sessionid]
We don't have a cert, possibly because this is
a new connection that was a resumption of a
previous SSL session. If that is the reason,
the cert will be in the session table.
if { $sid ne $::allzeros } {
This SSL session was resumed; retreive the cached cert
set key [concat [IP::remote_addr]@$sid]
set cert [session lookup ssl $key]
if { $cert != "" } {
set sn [X509::serial_number $cert]
} else {
dunno how this happened
reject
return
}
}
}
if { [info exists sn] } {
HTTP::header insert Serial $sn
log local0. "The User Agent String is: [HTTP::header User-Agent]"
log local0. "The Serial number is: [X509::serial_number $cert]"
} else {
no sn available, reject the client
reject
return
}
}