Forum Discussion
BIGIP 9.0.4 irule checking session ID
Customer seeing their SSL Connections being timed out due to the redirect rule they have.
They have a requirement for this redirect if the client cert is bad. They need to find away for it to only check the session id once when connection is created and not again for existing connections.
Here is their current rule thats not working (what could be wrong?):
rule verifycert {
when CLIENTSSL_CLIENTCERT {
check the status of the Client cert
store the value in the session table
session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
}
when HTTP_REQUEST {
set id [SSL::sessionid]
look up this session to find out what our Cert status is
if we see that the status is OK then we insert a header
set y [session lookup ssl $id]
if { $y contains "ok" } {
HTTP::header insert SSLCLientCertStatus $y
} else {
we get here because the status was not "ok"
HTTP::redirect http://www.example.com/examplefail.html
}
- You can add a flag to control the logic so the check only happens on the first request in a connection, something like this:
rule verifycert { when CLIENT_ACCEPTED { set verify_me 1 } when CLIENTSSL_CLIENTCERT { check the status of the Client cert store the value in the session table session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180 } when HTTP_REQUEST { if {$verify_me == 1}{ set id [SSL::sessionid] look up this session to find out what our Cert status is if we see that the status is OK then we insert a header set y [session lookup ssl $id] if { $y contains "ok" } { HTTP::header insert SSLCLientCertStatus $y set verify_me 0 } else { we get here because the status was not "ok" HTTP::redirect http://www.example.com/examplefail.html } } } }
/deb
