Hello Aaron
here is my rule,
i have problem with Firefox (older versions) it asks multiple time Client Certificate. i dont have problem with IE and latest Firefox release
i tried this rule i added in this rule (SSL::authenticate once)
another problem sometimes client wait on the page and then click some where but it matches Elseif section in iRule (it does not have client certificate) we have this problem randomly
note: server session timeout value is 10 minutes
what can be problem
regards
zafer
when CLIENTSSL_CLIENTCERT {
set time to maintain session data (in seconds)
set session_timeout 7200
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $ssl_cert $ssl_errstr]
session add ssl [SSL::sessionid] $ssl_stuff $session_timeout
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
if { $ssl_errstr2 eq "ok" } {
SSL::authenticate once
HTTP::header insert SSLClientCertStatus $ssl_errstr2
HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
HTTP::header insert SSLClientCertb64 [b64encode $ssl_cert2]
HTTP::header insert ClientSSL_Serial_F5 [X509::serial_number $ssl_cert2]
HTTP::header insert ClientSSL_Issuer_F5 [X509::issuer $ssl_cert2]
HTTP::header insert ClientSSL_subject_F5 [X509::subject $ssl_cert2]
HTTP::header insert ClientSSL_not_valid_after_F5 [X509::not_valid_after $ssl_cert2]
HTTP::header insert ClientSSL_not_valid_before_F5 [X509::not_valid_before $ssl_cert2]
} elseif { $ssl_errstr2 eq "" } {
SSL::renegotiate
HTTP::redirect "http://domain.com/nocert.asp"
log local0. "client: [IP::remote_addr]:[TCP::remote_port] Empty certificate request"
} else {
send HTTP 302 redirect to an error page
HTTP::redirect "http://domain.com/error.asp"
log local0. "client: [IP::remote_addr]:[TCP::remote_port] Not valid or not empty request"
}
}