Any Solution

Yes, you can. What you need is to write a customized auth rule which will perform SSL authentication after receiving HTTP request (it also means SSL handshake has done). In that rule, it can decide whether to perform authentication or not based on URI.

Hi !

 

 

Could you have any example of irule about SSL Client authentication and SSL Server Authentication? Could I have it? Could I directly call SSL Client/Server Profile from irule? Thanks !

 

 

 

 

I am not sure if you want to do certificate authentication using LDAP or OCSP. Other than that, SSL authentication lies in SSL profile. Could you describe your scenario in detail ?

Please check this posting, I think its what you are looking for.

 

 

Click here

 

I wrote the following rule set, but it is not stable! Sometimes I access the https:///manual/ with IE that No Certificate Authentication Dialog box and displayed "The page cannot be displayed". Sometime it seems that Authentication Succeeded with BIGIP, but it also displays "The page cannot be displayed". Sometimes, the page can display without problem. Could you tell me how to solve the problem and what did it happen? Could you suggest any solution? Thanks a lot !

 

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] eq "/manual/" } {

 

SSL::cert mode require

 

log LOCAL0.warn "Requiring certificate and Renegotiate..."

 

log LOCAL0.warn "Set Authenticate always and depth 9..."

 

SSL::authenticate always

 

SSL::authenticate depth 9

 

SSL::renegotiate

 

} else {

 

SSL::cert mode ignore

 

log LOCAL0. "Other Pages"

 

}

 

}

 

 

 

I am sorry that I did not use LDAP or OCSP for Authentication!

 

 

 

 

 

I would like to build SSL Client authentication in one of jsp or html pages. I set up a test environment with a welcome page of apache. whenever I click the link of https:///manual/ or type the url. The dialog box of Client Authentication (ici-appl-wo-client Profile) can be displayed. After the client authentication finish, the header insertion has to do before it send to server with SSL Server Authentication. (SSL-Self Profile)

 

 

 

when CLIENT_ACCEPTED {

 

if { $::gotcert != 1 } {

 

set needcert 0;

 

set ::gotcert 0;

 

}

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

log LOCAL0.warn "cert count=[SSL::cert count] result=[SSL::verify_result]";

 

if { $::gotcert == 0 and ([SSL::cert count] != 0 or [SSL::verify_result] == 0) } {

 

log LOCAL0.warn "Good cert! ($needcert)"

 

set ::gotcert 1

 

set ::crt "[SSL::cert 0]"

 

log LOCAL0. "GOTCERT $::crt"

 

} else {

 

}

 

}

 

 

when HTTP_REQUEST {

 

set ::gotcert 0

 

log LOCAL0. "HTTP-RQ"

 

log LOCAL0. "[X509::subject $::crt]"

 

HTTP::header insert "CLIENT_IP" [IP::client_addr]

 

HTTP::header insert "SSL_CLIENT_M_SERIAL" [X509::serial_number $::crt];

 

HTTP::header insert "SSL_CLIENT_I_DN" [SSL::cert issuer 0];

 

HTTP::header insert "SSL_CLIENT_S_DN" [X509::subject $::crt];

 

HTTP::header insert "SSL_CLIENT_I_DN_x509" [X509::issuer $::crt];

 

HTTP::header insert "SSL_CLIENT_CERT" [X509::whole $::crt];

 

}

According to your above sample rule, there is problem in HTTP::header insert if that would happen in CLIENTSSL_CERTIFICATE.

 

 

Another choice is when someone accessing certain URI, you can do HTTP::redirect instead of using SSL::renegotiate. In the targeted VIP, client has to present its certificate.

I can't help you with the certificate stuff, but I can help you with the error:

error: "can't use non-numeric string as operand of "!""

This is caused by the line:

if { not $new_uri starts_with "/" } { 

The "not" operator has higher precendence than the "starts_with" operator. This means that the not is applied to the operand to it's right before the starts_with operator is applied to its operands. Anotherwards, the default result of precendence can be more clearly shown with parenthesis:

if { (not $new_uri) starts_with "/" } { 

Clearly, this is not what you would actually want as taking the not of a string value makes no sense. Unfortunately, this particular order of precedence is specific to Tcl and common to many other programming languages like C, C++, Java, etc.

To solve your problem, simply add some parenthesis like so:

if { not ( $new_uri starts_with "/" ) } { 

Hope this helps.

I am sorry for the mistakes. Thank you for your kind help! Could anyone help me solve the problem of the scenario?