Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Is anybody can correct this irule syntaxe. Thanks

when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0}{ set client_cert [SSL::cert 0] set CLIENT “[ join [string trim [string map { “—–BEGIN CERTIFICATE—–” “” “—–END CERTIFICATE—–” “”} [X509::whole $client_cert ] ] ] “” ]” } else { log local0. “no cert found during clientssl_clientcert” } } when HTTP_REQUEST { if { [SSL::cert count] > 0 } { set CLIENT “[ join [string trim [string map { “—–BEGIN CERTIFICATE—–” “” “—–END CERTIFICATE—–” “”} [X509::whole $client_cert ] ] ] “” ]” HTTP::header insert “NSClientCert” “—–BEGIN CERTIFICATE—– $CLIENT —–END CERTIFICATE—–” } }

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Try this. You had some encoding issues it seems, and were missing a ]:

when CLIENTSSL_CLIENTCERT { 
    if {[SSL::cert count] > 0}{ 
        set client_cert [SSL::cert 0] 
        set CLIENT "[join [string trim [string map {"--BEGIN CERTIFICATE--" "" "--END CERTIFICATE--" ""} [X509::whole $client_cert]]] ""]" 
    } else { 
        log local0. "no cert found during clientssl_clientcert" 
    } 
} 
when HTTP_REQUEST { 
    if { [SSL::cert count] > 0 } { 
        set CLIENT "[join [string trim [string map {"--BEGIN CERTIFICATE--" "" "--END CERTIFICATE--" ""} [X509::whole $client_cert]]] ""]" 
        HTTP::header insert "NSClientCert" "—–BEGIN CERTIFICATE—– $CLIENT —–END CERTIFICATE—–" 
    } 
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I realize this is an old thread, but I tried following this today, and wondered why the need to remove then add back in the BEGIN and END certificate rather than just do something like:


HTTP::header insert "NSClientCert" [string trim [X509::whole [X509::whole [SSL::cert 0]]]

to replace 

set CLIENT "[join [string trim [string map {"--BEGIN CERTIFICATE--" "" "--END CERTIFICATE--" ""} [X509::whole $client_cert]]] ""]" 
        HTTP::header insert "NSClientCert" "—–BEGIN CERTIFICATE—– $CLIENT —–END CERTIFICATE—–" 

I believe if you validate the [SSL::cert 0] at CLIENTSSL_CLIENTCERT, you don't need to add the insert header at the ClIENTSSL_CLIENTCERT and at HTTP_REQUEST, it seems redundant

0