Forum Discussion
RiverFish
Altostratus
AltostratusAny incoming request (not just the initial connection)
One of the software guys has presented the following to me. Any help would be much appreciated!
"I think part of what might be going on with this is that HTTP 1.1 does not require a new connection with each request. This means that a tcp connection is made, but then there may be multiple request/response pairs that are sent. If the security subject is only being passed through on the initial connection, then you would get the behavior we are seeing. (Note that I am trying to guess backwards from symptom to problem…not something I like doing).
What we actually need is for any incoming request (not just the initial connection) the subject header from the certificate needs to be added.
I guess in this direction because Bill is telling me that when he restarts SOAPUI, it will go back to working once for him. This tells me that either:
1.In spite of SOAPUI saying that it is going to close connections after each request…it isn’t.
2. The F5 is doing something overly smart in relation to Bill and his session (unlikely)."
Below is the irule currently assigned to the VIP:
when CLIENTSSL_CLIENTCERT {
set cert_subject [X509::subject [SSL::cert 0]]
if { $cert_subject == "" }
{ log "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
when HTTP_REQUEST {
if { [info exist cert_subject] } {
HTTP::header insert SSLClientCertSubject $cert_subject
return
}
}
3 Replies
- nitass
Employee
i understand HTTP_REQUEST is executed on every request (not only initial one). can you add some log command?
HTTP_REQUEST event Wiki
https://devcentral.f5.com/wiki/iRules.http_request.ashx[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:443 ip protocol 6 rules myrule profiles { clientssl { clientside } http {} tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { log local0. "--" } when CLIENTSSL_HANDSHAKE { log local0. "--" } when HTTP_REQUEST { log local0. "--" log local0. "client [IP::client_addr]:[TCP::client_port] | request [HTTP::uri]" } } [root@ve10:Active] config cat /var/log/ltm Oct 27 11:06:28 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:28 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:30 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:30 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /index.html Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:31 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /f5.gif Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /favicon.ico Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : -- Oct 27 11:06:32 local/tmm info tmm[7926]: Rule myrule : client 172.18.205.28:46908 | request /favicon.ico 
RiverFishThanks! This will give us more visibility as to what is happening.- hoolio
Cirrostratus
Hi tzemler,
From 10.1 on, you can use [SSL::cert 0] to get the client cert for the duration of the client's SSL session:
https://devcentral.f5.com/wiki/iRules.ssl__cert.ashx
Note: As of 10.1.0, as described in CR116806, the following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:
SSL::cert
SSL::cert issuer
SSL::cert count
With this change, the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event.
Can you try this?when HTTP_REQUEST { if { [SSL::cert 0] ne "" and [set cert_subject [X509::subject [SSL::cert 0]]] ne ""} { HTTP::header insert SSLClientCertSubject $cert_subject } }
If you want to validate the client cert chains correctly to the trusted root CA bundle and hasn't expired, see the first example in the SSL::cert wiki page.
Aaron
