Forum Discussion
Hille_de_Graaf_
Nimbostratus
Nimbostratusbypass a CRL with an invalid date
Hi,
We are using client certificates and a CRL (Certificate Revocation List) to check wether the client certificate is revocated.
Every night we are loading a new CRL from our provider (just a HTTP get), but sometimes it happens that the CRL date is not valid anymore.
In the V4 rules we checked if the SSLClientCertStatus is "ok" or contains "error 12" meaning that the CRL date is not valid.
In both cases you are allowed to go to the Pool.
But when I try to build this in a V9 iRule, and test it with a CRL which is out of date, I see the following error in the ltm log:
Oct 23 13:10:03 tmm tmm[1467]: 01260001:2: Found CRL is expired - revoking all certificates until current CRL is available
Oct 23 13:10:03 tmm tmm[1467]: Rule hille-test : ClientSSl_Client handshake status: CRL has expired
I use the following iRule:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set status [X509::verify_cert_error_string [SSL::verify_result]]
set subject [X509::subject $cert]
set serial [X509::serial_number $cert]
set values [list $cert $status $subject $serial]
session add ssl [SSL::sessionid] $values 3600
log local0. "ClientSSl_Client handshake status: $status"
}
when HTTP_REQUEST {
set values [session lookup ssl [SSL::sessionid]]
if { [lindex $values 1] equals "ok" } {
HTTP::header insert ClientSSL_subject [lindex $values 2]
HTTP::header insert ClientSSL_serial [lindex $values 3]
pool portal-pool
} elseif { [lindex $values 1] equals "CRL has expired" } {
log local0. "CRL date is not valid, but you may continue"
HTTP::header insert ClientSSL_subject [lindex $values 2]
HTTP::header insert ClientSSL_serial [lindex $values 3]
pool portal-pool
} elseif { [lindex $values 1] equals "" } {
log local0. "no client Cert"
HTTP::redirect "https://mysite.com/errors/nocert.htm"
} else {
log local0. "some cert error: [lindex $values 1]"
HTTP::redirect "https://mysite.com/errors/certerror.htm"
}
}
Is it possible to bypass the CRL if the CRL date is not valid?
- Hello Hille,
I tested your rule with an expired CRL and for me anyway, it DOES allow the traffic through. I see the following three messages:
"Found CRL is expired -- revoking all certificates until current CRL is available."
Rule crltest : ClientSSL_Client handshake status: CRL has expired
Rule crltest : CRL date is not valid, but you may continue
I also tested your rule with a revoked certificate and it redirects to "certerror.htm"
Do you not see the "you may continue" message when you run your rule? 
Arley_6164Posted By capmblade on 11/09/2007 10:43 AM
Hello Hille,
I tested your rule with an expired CRL and for me anyway, it DOES allow the traffic through. I see the following three messages:
"Found CRL is expired -- revoking all certificates until current CRL is available."
Rule crltest : ClientSSL_Client handshake status: CRL has expired
Rule crltest : CRL date is not valid, but you may continue
I also tested your rule with a revoked certificate and it redirects to "certerror.htm"
Do you not see the "you may continue" message when you run your rule?
Hille_de_Graaf_Hi,
We removed the following part from the iRule:
} elseif { [lindex $values 1] equals "CRL has expired" } {
log local0. "CRL date is not valid, but you may continue"
HTTP::header insert ClientSSL_subject [lindex $values 2]
HTTP::header insert ClientSSL_serial [lindex $values 3]
pool portal-pool
As it seems that the CRL updates (and dates) are stable.
