Clear SSL state

I want to be able to use a browser to negotiate SSL client verification after someone has a certificate in the browser. They start off with no certificate. HTML meta-refreshes until they do. Then prompted to select the certificate. Client authentication isn't bad, but trying to get client authentication working after a browser has not certificates isn't working. in IE i can get it to work with the meta-refreshes if i reset the SSL State, hoping there's a server initiated way do do this i can do from an irule.

Client authentication isn't bad, but trying to get client authentication working after a browser has not certificates isn't working.

I'm not quite sure what you mean?

Certificate verification by the SSL Server has a simple iRule command like SSL::cert mode request and then SSL::renegotiate. As long as the client has a certificate this works great.

But if the client doesn't have any certificates, like they haven't inserted the Smart Card, SSL never succeeds and the client can't finish the SSL negotiation.

I'm trying to figure out if there's an iRule command i can use in an Event that allows me to reset the state of the connection until the client has a valid certificate.

The desired scenario is There are no certificates available to the browser session initially, The users requests a web site that requires SSL client authentication The user has no certificates and sees an error page to insert his smart card with a meta refresh tag in the html. User inserts his smart card Repeat meta refresh tag until certificates are available in the browser. When certificates are available, the user is prompted for his smart card PIN.

Sacrificing brevity. I've tried to loop through the events with a counter at the top. If the Client doesn't have the cert, I can get the meta-refresh working with the HTTP::response 200 content, but the browser never tries to renegotiate with the newly available certificates. In between the loops the iRule does another SSL::cert request SSL::reneogitiate. Wireshark shows new TCP session, new ephemeral ports on the clients, I see the TLS hello handshake. But it doesn't work.

So what you need is,

Client cert: request on the SSL profile, with CA cert as you have now. No SSL iRule.

in HTTP REQUEST if client cert auth not successful respond with webpage please provide identification

Sound right?

This is right, it's what we've got now and it works great. No issues. Except when people haven't inserted the smart card and the certificates are not available.

At that point we want to go in a while loop and try 3 times waiting 10 seconds after each try to look for the certificates.

This is normally not a problem, but we're trying to use kiosks for this application and the kiosk always removes the SSL certificate cache. But the kiosk doesn't have an option to not proceed until the smart card is inserted.

This would help with some other failures we've had also with desktop use of the application, where the user accidentally cancels the certificate selection, or picks the wrong cert.

OMG. Today, I learned you actually can't do everything in an iRule, there are other technologies. Crazy.

Love iRules, but it wasn't the right approach. That session state is maintained in the browser's cache, i'm convinced. Renegotiating and disabling the SSL session cache on the server wasn't enough.

In the content now i'm sending some javascript i found from another forum. Now the content back looks like:

HTTP::respond 200 content "Refreshing

sid and flow were just my debugging. I just need to get the iRule to do a while loop with a maximum retry count and I'll be good. that document.execcommand('ClearAuthenticationCache') is what i needed and it appears to run something like this: c:\windows\system32\rundll32.exe "c:\Windows\system32\wininet.dll",DispatchAPICall 3

Use this in the HTTP::content response: document.execcommand('ClearAuthenticationCache')

I was going to say... your not going to be able to affect client side state change without some code clientside to trigger it.