Forum Discussion
RiverFish
Altostratus
AltostratusAny incoming request (not just the initial connection)
One of the software guys has presented the following to me. Any help would be much appreciated!
"I think part of what might be going on with this is that HTTP 1.1 does not require a new c...
hoolio
Cirrostratus
CirrostratusHi tzemler,
From 10.1 on, you can use [SSL::cert 0] to get the client cert for the duration of the client's SSL session:
https://devcentral.f5.com/wiki/iRules.ssl__cert.ashx
Note: As of 10.1.0, as described in CR116806, the following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:
SSL::cert
SSL::cert issuer
SSL::cert count
With this change, the system stores the received peer certificate in the SSL session table, so the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event.
Can you try this?
when HTTP_REQUEST {
if { [SSL::cert 0] ne "" and [set cert_subject [X509::subject [SSL::cert 0]]] ne ""} {
HTTP::header insert SSLClientCertSubject $cert_subject
}
}
If you want to validate the client cert chains correctly to the trusted root CA bundle and hasn't expired, see the first example in the SSL::cert wiki page.
Aaron
