Client Cert Auth Failures

Do you have any idea what would cause this. I have an irule configured to do client certificate authentication. When the client accessing is IE the authentication works fine and the http headers are sent through to the pool members. But when the certificate Auth is being done using a SOAPUI method the client cert auth appears to work but then it doesn’t send through to the pool members. It is almost as if the HTTP::Collect doesn’t release when using SOAPUI.

 

 

The log shows the following when IE is used:

 

Dec 20 18:07:13 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : URI = /ServiceGateway

 

Dec 20 18:07:13 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : header name IN= Host User-Agent Accept Accept-Language Accept-Encoding Accept-Charset Keep-Alive Connection Cookie If-Modified-Since If-None-Match

 

Dec 20 18:07:22 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : Client Certificate Accepted: CN:Certname

 

Dec 20 18:07:22 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : Client Certificate Issuer: CN=Certname of Issuer

 

Dec 20 18:07:22 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : header name OUT= Host User-Agent Accept Accept-Language Accept-Encoding Accept-Charset Keep-Alive Connection Cookie If-Modified-Since If-None-Match

 

 

If SOAPUI is used here is the log results of the below irule:

 

Dec 20 17:23:52 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : URI = /ServiceGateway

 

Dec 20 17:23:52 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : header name IN= Accept-Encoding Content-Type SOAPAction User-Agent Host Content-Length

 

Dec 20 17:23:52 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : Client Certificate Accepted: CN:CertnameDec 20 17:23:52 local/tmm info tmm[4815]: 01220002:6: Rule client_cert_auth : Client Certificate Issuer: CN:Certname of Issuer

 

 

 

Here is the rule:

 

 

when RULE_INIT {

 

set ::debug 1

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

HTTP::release

 

Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith

 

set subject_dn [X509::subject [SSL::cert 0]]

 

set issuer_dn [X509::issuer [SSL::cert 0]]

 

if {$::debug >0}{log "Client Certificate Received: $subject_dn"}

 

Check if the client certificate contains the correct O and a CN from the list

 

if { ([matchclass $subject_dn contains $::my_cn_list]) and ([matchclass $issuer_dn contains $::my_issuer_list]) } {

 

Accept the client cert

 

if {$::debug >0}{log "Client Certificate Accepted: $subject_dn"}

 

if {$::debug >0}{log "Client Certificate Issuer: $issuer_dn"}

 

} else {

 

if {$::debug >0}{log "No Matching Client Certificate Was Found Using: $subject_dn"}

 

if {$::debug >0}{log "issuer_dn = $issuer_dn"}

 

reject

 

}

 

}

 

 

when HTTP_REQUEST {

 

if {$::debug >0}{log "URI = [HTTP::uri]"}

 

if { [matchclass [HTTP::uri] starts_with $::requires_client_cert] } {

 

if { [SSL::cert count] <= 0 } {

 

HTTP::collect

 

if {$::debug >0}{log "header name IN= [HTTP::header names]"}

 

SSL::authenticate always

 

SSL::authenticate depth 9

 

SSL::cert mode require

 

SSL::renegotiate

 

}

 

}

 

}

 

 

when HTTP_REQUEST_SEND {

 

clientside {

 

if { [SSL::cert count] > 0 } {

 

if {$::debug >0}{log "header name OUT= [HTTP::header names]"}

 

HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid]

 

HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]]

 

HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]]

 

HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]]

 

}

 

}

 

}