SSL ClientCert validation

Question

I have an iRule that I am attempting to write that will validate a client SSL certificate.  If an error is found, log it and deliver a custom http::respond. I can get the http::respond to work all by itself.  I can get the client certificate validation to work all by itself.  But I cant get them to work together. 
&nbsp;  
&nbsp; HTTP::respond by itself: 
&nbsp; when RULE_INIT { 
&nbsp; set response { 
&nbsp;       
&nbsp;          
&nbsp;            Certificate Deny 
&nbsp;          
&nbsp;          
&nbsp;            Your SSL MA connection was denied.
&nbsp; 
&nbsp;            Please validate your certificate. 
&nbsp;          
&nbsp;       
&nbsp;   } 
&nbsp; } 
&nbsp; when HTTP_REQUEST { 
&nbsp;   HTTP::respond 520 content [subst $::response] 
&nbsp; } 
&nbsp;  
&nbsp; Client Certificate validation by itself: 
&nbsp; when CLIENTSSL_CLIENTCERT { 
&nbsp;   set client_cert [SSL::cert 0] 
&nbsp;   if { [X509::subject $client_cert] contains "emailAddress" }{ 
&nbsp; log local0. "Failed STRATA SSL: [IP::client_addr] &amp; [X509::subject $client_cert]" 
&nbsp;   reject 
&nbsp;   } 
&nbsp; } 
&nbsp;  
&nbsp; Combined: 
&nbsp; when RULE_INIT { 
&nbsp; set response { 
&nbsp;       
&nbsp;          
&nbsp;            Certificate Deny 
&nbsp;          
&nbsp;          
&nbsp;            Your SSL MA connection was denied.
&nbsp; 
&nbsp;            Please validate your certificate. 
&nbsp;          
&nbsp;       
&nbsp;   } 
&nbsp; } 
&nbsp; when CLIENTSSL_CLIENTCERT { 
&nbsp;   set client_cert [SSL::cert 0] 
&nbsp;   if { [X509::subject $client_cert] contains "emailAddress" }{ 
&nbsp; log local0. "Failed STRATA SSL: [IP::client_addr] &amp; [X509::subject $client_cert]" 
&nbsp;   set ::denycode 0 
&nbsp; log local0. "DenyCode = $::denycode" 
&nbsp;   } 
&nbsp; } 
&nbsp; when HTTP_REQUEST { 
&nbsp;   if { $::denycode == 0 }{ 
&nbsp;   HTTP::respond 520 content [subst $::response] 
&nbsp;   } 
&nbsp; unset ::denycode 
&nbsp; unset ::response 
&nbsp; } 
&nbsp; I can log the rule, and see it working all the way down to the "denycode" variable being created.  Nothing below that.  Any suggestions...??

hooleylist · Answer

Hi,   
&nbsp;      
&nbsp;  You're using a global variable to track whether the cert is valid or not.  The global variable could be modified from every TCP connection of every client. 
&nbsp;    
&nbsp;  You might be better off adding the SSL session ID to the session table in CLIENTSSL_CLIENTCERT with a flag on whether it was valid or not.  Then in HTTP_REQUEST you could look up the session table entry using the SSL session ID and send a response if it's a bad session ID.  You can use a Codeshare example as a template for this:   
&nbsp;      
&nbsp;   Insert Cert In Server Headers (Click here)   
&nbsp;      
&nbsp;   Also, you don't need to use subst when sending the HTTP response.  It's only used if you're trying to force a escaped characters to be interpreted within the response content.    
&nbsp;    
&nbsp;  Lastly, you shouldn't unset the ::response variable as you'll need to reference it every time you find an invalid SSL session ID.   
&nbsp;      
&nbsp;   Aaron

Forum Discussion

SSL ClientCert validation

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

POC: Validate JWT with iRule

Implementing SSL Orchestrator - Validation & Troubleshooting

iRule to accept client then SSL cert validation

APM Customization: Password Change Validation

Request and validate OAuth / OIDC tokens with APM