Forum Discussion

Jeremy_Bridges_'s avatar
Jeremy_Bridges_
Icon for Nimbostratus rankNimbostratus
Jun 17, 2008

Best way to detect a certificate

Hello,

 

 

I have been trying to figure out the best way to detect and persist a client certificate using an iRule. It seems the best way is to use the CLIENTSSL_CLIENTCERT event to check for the certificate, then store it in the ssl persistence table with a timeout that is the same length as the SSL session timeout:

 

 

when CLIENTSSL_CLIENTCERT

 

{

 

if {[SSL::verify_result] == 0}

 

{

 

set cert [SSL::cert 0]

 

session add ssl [SSL::sessionid] $cert 3600

 

}

 

}

 

 

My real quandry comes when I try to check for the valid certificate in a general event used to handle the request. For, the CLIENTSSL_CLIENTCERT event only fires when a client certificate is sent to the server. If the client uses an abbrieviated handshake, no cert is sent, just the session ID.

 

 

Plus, it is unclear to me how exactly I am supposed to check for the existence of the cert in the persistence table. Any of the X509 functions (like X509::subject) will error if they try to operate on a non-existent certificate.

 

 

Here is what I have so far:

 

 

when HTTP_REQUEST

 

{

 

set clientCert [session lookup ssl [SSL::sessionid]]

 

 

if {$clientCert == ""}

 

{

 

SSL connection is bad

 

redirect to login page

 

HTTP::redirect "https://login.company.com"

 

}

 

else

 

{

 

SSL connection is good

 

if {[SSL::cert count] == 0}

 

{

 

abbrievated handshake

 

log "using abbrieviated handshake"

 

}

 

else

 

{

 

full handshake

 

log "using full handshake"

 

}

 

 

record cert into the HTTP header

 

HTTP::header insert ClientCertSubject [X509::subject $clientCert]

 

HTTP::header insert ClientCertIssuer [X509::issuer $clientCert]

 

HTTP::header insert ClientCertThumbPrint [b64encode [X509::hash $clientCert]]

 

HTTP::header insert ClientCertSN [b64encode [X509::serial_number $clientCert]]

 

}

 

}

 

 

 

So, I have three questions:

 

1. Can I retrieve the current SSL session timeout value? I don't really want to hard-code the value in the iRule.

 

2. Is there a better event to retrieve the certificate in besides HTTP_REQUEST?

 

3. Is there a better way to check for the existence of a certificate besides comparing to a zero-length string?
application delivery
dev
devops
iRules