Forum Discussion
MikeRobinson_64
Nimbostratus
Nimbostratusauth_result not called for some client certificates
Hi everyone,
I am trying to resolve an issue with an irule that is utilized to ask for client certificates for certain folders. The irule works great except for certain client certific...
hoolio
Cirrostratus
CirrostratusHi Mike,
Sorry for not being clearer--I was thinking you already had a fair amount of debug logging in the iRule. I was confusing it with another post. Could you add debug logging to each major code block in the existing iRule and post the /var/log/ltm output from a failure. Here's an example of the kind of info that would be helpful:
when CLIENT_ACCEPTED {
set needcert 0
set gotcert 0
set badcert 0
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection"
}
when CLIENTSSL_HANDSHAKE {
log local0. "[IP::client_addr]:[TCP::client_port]: Cert count: [SSL::cert count]"
set certcnt [SSL::cert count]
if { $certcnt > 0 } {
log local0. "[IP::client_addr]:[TCP::client_port]: Cert0 subject: [X509::subject [SSL::cert 0]]. Releasing HTTP."
set gotcert 1
HTTP::release
}
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_ocsp_done 0
if { $needcert == 1 and $tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam ssl_ocsp_prod]
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
set varcert [SSL::cert 0]
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid $varcert
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
set id [SSL::sessionid]
set ssl_array [list blah1 blah2]
lset ssl_array 0 [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "[IP::client_addr]:[TCP::client_port]: SessionID: [SSL::sessionid],\
SSL verify result: [X509::verify_cert_error_string [SSL::verify_result]]. Holding SSL handshake."
SSL::handshake hold
}
}
...
Aaron
