Forum Discussion

rraver_79489's avatar
rraver_79489
Icon for Nimbostratus rankNimbostratus
May 05, 2009

iRule doesn't work with 2k3 server

We have the below iRule that seems to work with all clients except for 2k3 server, we've tried it on a default install using internet explorer 7 and it pauses when we hit login. This iRule works with Windows XP, Vista, and 2k3 server using firefox. Anyone know or have any ideas why this wouldn't work?

 

 

when HTTP_REQUEST {

 

log "Handling HTTP_REQUEST"

 

Always loop to remove possible multiple occurrences of header

 

while { [HTTP::header exists X.509] } {

 

HTTP::header remove X.509

 

}

 

Conditionally request a client cert

 

if {([HTTP::uri] starts_with "/acct/login.action" || [HTTP::uri]

 

starts_with "/acct/registration") && [SSL::cert count] == 0} {

 

log "Authentication desired."

 

log "Requesting authentication."

 

Hold the HTTP request

 

HTTP::collect

 

log "HTTP::collect enabled."

 

SSL::cert mode request

 

log "SSL::cert mode set."

 

Renegotiate SSL

 

SSL::renegotiate

 

log "SSL::renegotiate requested."

 

}

 

log "Handler completed."

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

log "Handling CLIENTSSL_CLIENTCERT"

 

HTTP::release

 

log "Handler completed."

 

}

 

 

when HTTP_REQUEST_SEND {

 

log "Handling HTTP_REQUEST_SEND"

 

clientside {

 

if {[SSL::cert count] > 0} {

 

log "Certificate presented."

 

If the client provided a cert, pass it along

 

set val [b64encode [SSL::cert 0]]

 

Also include other certs in the chain it provided

 

for { set i 1 } { $i < [SSL::cert count] } { incr i } {

 

append val "; " [b64encode [SSL::cert $i]]

 

}

 

Stuff it all in the header, with folding because it's long

 

HTTP::header insert "lws" X.509 $val

 

}

 

}

 

log "Handler completed."

 

}

 

3 Replies

  • Can you compare the log output from a successful request from Win2k3 on Firefox with that from a failure from Win2k3 on IE7? Can you post anonymized logs?

     

     

    If you hardcode the client SSL profile to request a client cert and remove the iRule does the IE7 Win2k3 client succeed?

     

     

    Aaron
  • I have done an SSL dump between a working Vista I.E. 7 and a not working 2003 I.E 7, the difference is that when it does a re-negotiation the server 2003 does a resume and the Vista doesn't. I have attached the SSL dump which should tell you the most short of a decrypted libcap. The application is to get the certificate off of the CAC card and provide it to the application, I was told this is only possible via iRule so our developers produced the above iRule. I will look into the SSL profile. Any help would be appreciated.
  • Did you ever figure this out? I'm seeing something similar with an IE6 client that resumes an existing SSL session.

     

     

    For reference, you can get more verbose details from ssldump using the following flags:

     

     

    ssldump -AedHr /var/tmp/encrypted.tcp.dmp -Nk /config/ssl/ssl.key/my_ssl.key > ssl.dmp.txt

     

     

     

    Thanks,

     

    Aaron