Client Certificate validation problem with Firefox

Hi Zafer,

 

 

Can you try testing by setting 'SSL::authenticate once' instead of 'SSL::authenticate always'?

 

 

Thanks,

 

Aaron

Hello Aaron

 

 

here is my rule,

 

 

 

i have problem with Firefox (older versions) it asks multiple time Client Certificate. i dont have problem with IE and latest Firefox release

 

 

i tried this rule i added in this rule (SSL::authenticate once)

 

 

another problem sometimes client wait on the page and then click some where but it matches Elseif section in iRule (it does not have client certificate) we have this problem randomly

 

 

note: server session timeout value is 10 minutes

 

 

what can be problem

 

 

regards

 

 

zafer

 

 

when CLIENTSSL_CLIENTCERT {

 

set time to maintain session data (in seconds)

 

set session_timeout 7200

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

set ssl_stuff [list $ssl_cert $ssl_errstr]

 

session add ssl [SSL::sessionid] $ssl_stuff $session_timeout

 

}

 

 

when HTTP_REQUEST {

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

if { $ssl_errstr2 eq "ok" } {

 

SSL::authenticate once

 

HTTP::header insert SSLClientCertStatus $ssl_errstr2

 

HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]

 

HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2]

 

HTTP::header insert ClientSSL_Serial_F5 [X509::serial_number $ssl_cert2]

 

HTTP::header insert ClientSSL_Issuer_F5 [X509::issuer $ssl_cert2]

 

HTTP::header insert ClientSSL_subject_F5 [X509::subject $ssl_cert2]

 

HTTP::header insert ClientSSL_not_valid_after_F5 [X509::not_valid_after $ssl_cert2]

 

HTTP::header insert ClientSSL_not_valid_before_F5 [X509::not_valid_before $ssl_cert2]

 

 

} elseif { $ssl_errstr2 eq "" } {

 

SSL::renegotiate

 

HTTP::redirect "http://domain.com/nocert.asp"

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] Empty certificate request"

 

 

} else {

 

send HTTP 302 redirect to an error page

 

HTTP::redirect "http://domain.com/error.asp"

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] Not valid or not empty request"

 

}

 

}

Hello Aaron

 

 

here is my rule,

 

 

 

i have problem with Firefox (older versions) it asks multiple time Client Certificate. i dont have problem with IE and latest Firefox release

 

 

i tried this rule i added in this rule (SSL::authenticate once)

 

 

another problem sometimes client wait on the page and then click some where but it matches Elseif section in iRule (it does not have client certificate) we have this problem randomly

 

 

note: server session timeout value is 10 minutes

 

 

what can be problem

 

 

regards

 

 

zafer

 

 

when CLIENTSSL_CLIENTCERT {

 

set time to maintain session data (in seconds)

 

set session_timeout 7200

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

set ssl_stuff [list $ssl_cert $ssl_errstr]

 

session add ssl [SSL::sessionid] $ssl_stuff $session_timeout

 

}

 

 

when HTTP_REQUEST {

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

if { $ssl_errstr2 eq "ok" } {

 

SSL::authenticate once

 

HTTP::header insert SSLClientCertStatus $ssl_errstr2

 

HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]

 

HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2]

 

HTTP::header insert ClientSSL_Serial_F5 [X509::serial_number $ssl_cert2]

 

HTTP::header insert ClientSSL_Issuer_F5 [X509::issuer $ssl_cert2]

 

HTTP::header insert ClientSSL_subject_F5 [X509::subject $ssl_cert2]

 

HTTP::header insert ClientSSL_not_valid_after_F5 [X509::not_valid_after $ssl_cert2]

 

HTTP::header insert ClientSSL_not_valid_before_F5 [X509::not_valid_before $ssl_cert2]

 

 

} elseif { $ssl_errstr2 eq "" } {

 

HTTP::redirect "http://domain.com/nocert.asp"

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] Empty certificate request"

 

 

} else {

 

send HTTP 302 redirect to an error page

 

HTTP::redirect "http://domain.com/error.asp"

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] Not valid or not empty request"

 

}

 

}

please discard first message, i forget in Rule

 

 

zafer

Hi Zafer,

 

 

Can you check your other post for a suggested update to the iRule ()? If you have any problems, please include details of what iRule, browser and client cert you're testing with.

 

 

Thanks,

 

Aaron