Forum Discussion

Erki_Märks_2779's avatar
Erki_Märks_2779
Icon for Nimbostratus rankNimbostratus
Dec 14, 2007

Client authentication

The problem is that with this irule, we have to make java servlet to refresh the request, otherwise it doesn't send the cert information to the application server. Can anyone help me to edit this irule so that it will send the client cert information with the first request?

 

 

when CLIENT_ACCEPTED {

 

set gotcert 0

 

SSL::profile client_cert_optional

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

set sslc [SSL::cert 0]

 

set ssle [X509::verify_cert_error_string [SSL::verify_result]]

 

set ssl_stuff [list $sslc $ssle]

 

session add ssl [SSL::sessionid] $ssl_stuff 180

 

set gotcert 1

 

}

 

when CLIENTSSL_HANDSHAKE {

 

HTTP::release

 

}

 

 

when HTTP_REQUEST {

 

 

set request [HTTP::request]

 

set uri [HTTP::uri]

 

switch -regexp $uri {

 

^/(login|admin/login|etc.)/$ {

 

if { [SSL::cert count] == 0 } {

 

HTTP::collect

 

SSL::authenticate always

 

SSL::authenticate depth 3

 

SSL::cert mode require

 

SSL::renegotiate

 

set y [session lookup ssl [SSL::sessionid]]

 

set ssl_cert [lindex $y 0]

 

set ssl_ok [lindex $y 1]

 

if { $ssl_ok contains "ok" } {

 

HTTP::header insert ClientCertExtensions [X509::extensions $ssl_cert]

 

HTTP::header insert ClientCertHash [X509::hash $ssl_cert]

 

HTTP::header insert SSLCLientCertStatus $ssl_ok

 

HTTP::header insert "CLIENT_IP" [IP::client_addr]

 

HTTP::header insert "SSL_CLIENT_M_SERIAL" [X509::serial_number $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_I_DN" [X509::issuer $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_S_DN" [X509::subject $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_I_DN_x509" [X509::issuer $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_CERT" [X509::whole $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_M_VERSION" [X509::version $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_V_START" [X509::not_valid_before $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_V_END" [X509::not_valid_after $ssl_cert]

 

HTTP::header insert "SSL_CLIENT_VERIFY" "SUCCESS"

 

log [X509::whole $ssl_cert]

 

}

 

}

 

}

 

}

 

}

4 Replies

  • Hello, do you mean that if you don't refresh the request client side, the header won't be insert with certificate information after the SSL renegotiation ?

     

    if that is the case, it may be because at the time you did the insert, there was no certificate presented.

     

    what is your ssl profile parameter for client auth ? request?

     

  • Hello, do you mean that if you don't refresh the request client side, the header won't be insert with certificate information after the SSL renegotiation ?

     

    if that is the case, it may be because at the time you did the insert, there was no certificate presented.

     

    what is your ssl profile parameter for client auth ? request?

     

  • You're forcing a "step up" SSL renegotiation with the SSL::renegotiate command, which is happening at after the first HTTP request. Why not just set Require in the client auth section of the client SSL profile?

     

  • Hi again, please have a look to this code : https://devcentral.f5.com/codeshare?sid=665.

     

    As i said before, you can use the same even as you are collecting and during the event the ssl information is not present. you can modify your irule like in the this code share which is using the event HTTP_REQUEST_SEND, just before sending the request to server to add the header and ssl information.