Forum Discussion

jakru_162096's avatar
jakru_162096
Icon for Nimbostratus rankNimbostratus
Nov 06, 2018

HTTPS certificate fields into HTTP header

Hello,

 

i tried to insert some fields taken from certificates into http header using iRule from here: https://devcentral.f5.com/wiki/iRules.iRulesCommonConcepts.ashx iRule 6. I am using https virtual server that is using client cert authentication with http pool attached (encryption only on client side). However without iRule i can connect to the server and view the page, when i am connecting to the server with iRule enabled i can't. This is what i can find in /var/log/ltm: Has anyone ever encountered something like this? I was trying to fight this error and modified the irule a bit, but the edited irule does not insert anything into http header from what i see. Edited irule below (got to paste it as a image in other case it gets identified as spam):

 

application delivery
iRules
LTM

1 Reply

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 06, 2018

    Well, two things,

    • You're not getting to the server because the iRule is triggering a fatal error. This appears to be in the "session add ssl" statement. What version of BIG-IP are you running?

    • Otherwise, in modern versions of BIG-IP, the client SSL profile has a setting called Retain Certificate which enables it to store the SSL certificate information over the life of the connection. The page you're referencing is super old and this wasn't an option back then. So with this setting enabled, you don't actually need to store the certificate information in the session table. It's accessible directly from the HTTP_REQUEST event.

      when HTTP_REQUEST {
    HTTP::header insert SSLClientCertStatus [X509::verify_cert_error_string [SSL::verify_result]]
    HTTP::header insert SSLClientCertSN [SSL::cert 0]
}

    I'd also recommend two things:

    • That you use HTTP::header replace instead of "insert". If the user injects their own SSLClientCertStatus header, the insert option won't overwrite this, but replace will.
    • The [SSL::cert 0] command returns the binary certificate, which is probably not what you want in an HTTP header. Perhaps it'd make more sense to send the PEM version of the cert with [X509::whole [SSL::cert 0]].