Forum Discussion

Rodolphe_AUBINE's avatar
Rodolphe_AUBINE
Icon for Nimbostratus rankNimbostratus
Oct 05, 2010

Front location replaced by an irule works on Firefox but not on IE...

Hi,

 

 

You will see below an irule written in order to replace a location defined on a front server for a url /appli/verifyx509.jsp which activates client certificate authentication.

 

 

This irule works on Firefox browser 3.6 but not on IE 6, the HTTP::redirect seems to be made before.

 

My problem is without the HTTP::redirect, the client certificate authentication works well, but the certificate is never placed in the header of the request.

 

 

Could you give me some help ? I think I forgot something...

 

 

IRULE :

 

 

when CLIENT_ACCEPTED {

 

set session_flag 0

 

}

 

 

when CLIENTSSL_HANDSHAKE {

 

if { [SSL::cert count] != 0 } {

 

HTTP::release

 

}

 

}

 

 

when HTTP_REQUEST {

 

if{ [HTTP::uri] contains "verifyx509.jsp" } {

 

if { [SSL::cert count] == 0 } {

 

HTTP::collect

 

set session_flag 1

 

SSL::authenticate always

 

SSL::authenticate depth 9

 

SSL::cert mode require

 

SSL::renegotiate

 

}

 

if {[SSL::cert count] == 1} {

 

HTTP::header insert "X509CertificatePresent" "true"

 

HTTP::header insert "X509Certificate" [b64encode [SSL::cert 0]]

 

}

 

else {

 

HTTP::redirect /appli/verifyx509.jsp

 

}

 

}

 

}

 

 

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 08, 2010
    Hi Rodolphe,

     

     

    I ran into a similar situation where IE6 was still re-using the same SSL session ID even after re-negotiation. You should be able to prevent this by adding SSL::session invalidate just before you call SSL::renegotiate.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__session.html

     

     

    Aaron