Sake_Blok
May 10, 2007Nimbostratus
Providing an http-response after killing a serverside SSL connection
Hi,
I'm building an iRule on a vip with serverside-ssl. The iRule must validate the common name in the server-certificate dynamically against the Host: header in the http-request. If the cn doe not match, the iRule should terminate the ssl-session on the server-side and give a http-error-response on the client-side.
Here is what I have so far:
when HTTP_REQUEST {
set hostname [HTTP::host]
}
when SERVERSSL_HANDSHAKE {
set sslcert [SSL::cert 0]
set cn [findstr [X509::subject $sslcert] "CN=" 3]
if { $cn ne $hostname } {
reject
log local0. "Connection closed $cn != $hostname"
}
}
I want to make sure that the initial http-request does not get forwarded to the back-end-server before I terminate the connection, so using the HTTP_RESPONSE event to give the error-message is not an option. Unfortunately I can't use "HTTP:respond" in the SERVERSSL_HANDSHAKE event.
Is there a way to close the SSL-session on the serverside *before* the client-request is forwarded to it, while keeping the client-connection open to provide an http-error-response?
I also tried LB::detach, but then the connection stalls. Is ther a way to turn back to the client-connection after the LB::detach command?
Cheers,
Sake