F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

scott_nixon_825's avatar
scott_nixon_825
Historic F5 Account
Mar 01, 2005

BIGIP 9.0.4 irule checking session ID

Customer seeing their SSL Connections being timed out due to the redirect rule they have.   They have a requirement for this redirect if the client cert is bad. They need to find away for it to...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Sep 19, 2007
You can add a flag to control the logic so the check only happens on the first request in a connection, something like this:
rule verifycert {
  when CLIENT_ACCEPTED {
    set verify_me 1
  }
  when CLIENTSSL_CLIENTCERT {
    check the status of the Client cert
    store the value in the session table
    session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
  }
  when HTTP_REQUEST {
    if {$verify_me == 1}{
      set id [SSL::sessionid]
       look up this session to find out what our Cert status is
       if we see that the status is OK then we insert a header
      set y [session lookup ssl $id]
      if { $y contains "ok" } {
        HTTP::header insert SSLCLientCertStatus $y
        set verify_me 0
      } else {
         we get here because the status was not "ok"
        HTTP::redirect http://www.example.com/examplefail.html
      }
    }
  }
}

/deb