Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
Nov 20, 2006

if no cert rule

Hello,

 

 

We've created the following irule for checking the cert

 

If the cert is present everything works ok

 

But if the client has no cert the rule http redirect does not work

 

 

anyone ideas

 

It drives me crazy to get this working

 

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

set ssl_stuff [list $ssl_cert $ssl_errstr]

 

session add ssl [SSL::sessionid] $ssl_stuff 180

 

log local0. "ClientSSl_Clienthandshake status: $ssl_errstr"

 

 

}

 

 

when HTTP_REQUEST {

 

set ssl_stuff [session lookup ssl [SSL::sessionid]]

 

set clcert [lindex $ssl_stuff 0]

 

set ssl_errstr [lindex $ssl_stuff 1]

 

set ssl_client_cert [lindex $ssl_stuff 2]

 

if { $ssl_errstr equals "ok" } {

 

log local0. "De ok-status is: $ssl_errstr"

 

pool portal-apps

 

HTTP::header remove "If-Modified-Since"

 

} elseif { $ssl_errstr equals "" } {

 

log local0. "no cert"

 

HTTP::redirect "https://xxxxxx/errors/cert_error.htm"

 

} else {

 

HTTP::redirect "https://xxxxx/errors/nocert.htm"

 

log local0. "cert error or wrong cert: $ssl_errstr"

 

}

 

}

 

application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2006
    Which condition is met when a client makes a request without presenting a cert?

     

     

    Can you post the log output from a request where a client does not present a cert?

     

     

    Aaron
  • Dirk_Laan_18877's avatar
    Dirk_Laan_18877
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2006
    (Chertsey ?)

     

     

    Hello Aaron,

     

     

    It looks that the rule is never hit when the client has no cert.

     

    So also no logging available

     

     

    Dirk
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2006
    Hi Dirk,

     

     

    Yep, I'm in Chertsey.

     

     

    If the client is making it to the VIP that you have the rule configured for, there should be logging for the HTTP_REQUEST event (regardless of whether the client is presenting the cert or not).

     

     

    Are you testing by not sending a cert at all, or are you testing by sending a cert initially and then not sending a cert?

     

     

    Is the connection reset or is passed to the portal-apps pool?

     

     

    If you aren't seeing any logging whatsoever for requests where clients don't present certs, you might try restarting TMM (bigstart restart tmm) and retesting.

     

     

    Aaron
  • Dirk_Laan_18877's avatar
    Dirk_Laan_18877
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2006
    i've restarted tmm

     

    still no logging

     

    i,m testing with ie (sending a cert initially and then not sending a cert)

     

    testing with firefox (testing by not sending a cert at all)

     

    i get no logging

     

     

    i both ways the connection is reset (saying page not found in a new window)

     

     

     

    if I use a cert I see logging

     

     

    Dirk
  • Dirk_Laan_18877's avatar
    Dirk_Laan_18877
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2006
    I've changed the ssl profile:

     

    changed client certificate from require to request

     

    in this situation it looks ok

     

     

    thanks

     

     

    http://devcentral.f5.com/Default.aspxtabid=28&view=topic&forumid=5&postid=3561

     

     

    Just to point out for everybody else though - the problem here is that you can't inspect the URI until after the SSL handshake has completed. If you have the cert mode set to require, then the handshake is not going to successfully complete without it, therefore you won't be able to inspect the URI to determine if it isn't needed.

     

     

    However, when the cert mode is set to request, then the handshake merely requests the certificate. If it is not present, the connection is still allowed and the rule can then inspect the URI and determine if one is required. At that point, you could simply check if a certificate was present and reject the connection if one was required but not presented.

     

     

    The only way to not request a certificate initially is to set the cert mode to none and then after inspecting the URI, upgrade the cert mode and force a renegotiation. Obviously, not the optimal way to do things if you have only two pages that don't require a certificate

     

     

    Thanks

     

     

    Dirk