Forum Discussion

Historic F5 Account

Mar 01, 2005

BIGIP 9.0.4 irule checking session ID

Customer seeing their SSL Connections being timed out due to the redirect rule they have. They have a requirement for this redirect if the client cert is bad. They need to find away for it to...

Historic F5 Account

Sep 19, 2007

You can add a flag to control the logic so the check only happens on the first request in a connection, something like this:

rule verifycert {
  when CLIENT_ACCEPTED {
    set verify_me 1
  }
  when CLIENTSSL_CLIENTCERT {
    check the status of the Client cert
    store the value in the session table
    session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
  }
  when HTTP_REQUEST {
    if {$verify_me == 1}{
      set id [SSL::sessionid]
       look up this session to find out what our Cert status is
       if we see that the status is OK then we insert a header
      set y [session lookup ssl $id]
      if { $y contains "ok" } {
        HTTP::header insert SSLCLientCertStatus $y
        set verify_me 0
      } else {
         we get here because the status was not "ok"
        HTTP::redirect http://www.example.com/examplefail.html
      }
    }
  }
}

/deb

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)