Forum Discussion
NimbostratusCan I reply with an SSL alert when validating client certificate?
I have an iRule that validates client certs against a data group. Currently, if they don't match, I send a Reject (TCP RST). Problem is that the calling browsers retry... I've seen up to 9 retries. Is there a way to reply with an actual SSL Alert message from RFC5246?
I saw Hoolio's iRule that delays the response until the first HTTP_REQUEST but I'd like to abort the session right at the handshake, if I can send something marginally informative back to the caller.
Thanks - Al
3 Replies
Have you seen this post? Here they seem to send back a 'certificate_revoked(44)' via an irule.
 
adharkraderJust the kind of gnarly bin/hex widget I was looking for... I assume there's no SSL::alert function?
Jeremy_Church_3Cirrus
Hello,
The command
not only shows the result of the client certificate verification, but can also be used to change the result.SSL::verify_resultwhen CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0} { if {[SSL::verify_result] == 0} { at this point, the client was already determined to be valid. if {"your check is false"} { certificate does not match, respond like we don't trust them SSL::verify_result 20 } } } }I recommend using the command in the
event. This should result in an actual SSL alert response.CLIENTSSL_CLIENTCERTThe
page provides several possible error responses.SSL::verify_result
