Forum Discussion

adharkrader's avatar
adharkrader
Icon for Nimbostratus rankNimbostratus
Apr 01, 2017

Can I reply with an SSL alert when validating client certificate?

I have an iRule that validates client certs against a data group. Currently, if they don't match, I send a Reject (TCP RST). Problem is that the calling browsers retry... I've seen up to 9 retries....
application delivery
iRules
LTM
security
Jeremy_Church_3's avatar
Jeremy_Church_3
Icon for Cirrus rankCirrus
Apr 06, 2017

Hello,

The command 

SSL::verify_result
not only shows the result of the client certificate verification, but can also be used to change the result.

when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] > 0} {
        if {[SSL::verify_result] == 0} {
             at this point, the client was already determined to be valid.
            if {"your check is false"} {
                 certificate does not match, respond like we don't trust them
                SSL::verify_result 20
            }
        }
    }
}

I recommend using the command in the 

CLIENTSSL_CLIENTCERT
event. This should result in an actual SSL alert response.

The 

SSL::verify_result
page provides several possible error responses.