Forum Discussion

adharkrader's avatar
adharkrader
Icon for Nimbostratus rankNimbostratus
Apr 01, 2017

Can I reply with an SSL alert when validating client certificate?

I have an iRule that validates client certs against a data group. Currently, if they don't match, I send a Reject (TCP RST). Problem is that the calling browsers retry... I've seen up to 9 retries. Is there a way to reply with an actual SSL Alert message from RFC5246?

 

I saw Hoolio's iRule that delays the response until the first HTTP_REQUEST but I'd like to abort the session right at the handshake, if I can send something marginally informative back to the caller.

 

Thanks - Al

 

application delivery
iRules
LTM
security

3 Replies

Sort By
  • adharkrader's avatar
    adharkrader
    Icon for Nimbostratus rankNimbostratus
    Apr 01, 2017

    Just the kind of gnarly bin/hex widget I was looking for... I assume there's no SSL::alert function?

     

  • Jeremy_Church_3's avatar
    Jeremy_Church_3
    Icon for Cirrus rankCirrus
    Apr 06, 2017

    Hello,

    The command 

    SSL::verify_result
    not only shows the result of the client certificate verification, but can also be used to change the result.

    when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] > 0} {
        if {[SSL::verify_result] == 0} {
             at this point, the client was already determined to be valid.
            if {"your check is false"} {
                 certificate does not match, respond like we don't trust them
                SSL::verify_result 20
            }
        }
    }
}

    I recommend using the command in the 

    CLIENTSSL_CLIENTCERT
    event. This should result in an actual SSL alert response.

    The 

    SSL::verify_result
    page provides several possible error responses.