Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Jan 16, 2012

Catch specific SSL errors/failures???

Hi there     One of the requirements that I've been given is to try and catch certain SSL errors and return a more friendly error page, rather than the browser default...     A couple of ...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jan 16, 2012

not sure whether SSL::verify_result is usable.

SSL::verify_result wiki

http://devcentral.f5.com/wiki/iRules.SSL__verify_result.ashx

 

[root@ve1023:Active] ca2012  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve1023:Active] ca2012  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve1023:Active] ca2012  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "chain.crt"
   peer cert mode request
}
[root@ve1023:Active] ca2012  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        if {[SSL::verify_result]} {
                HTTP::respond 403 content [X509::verify_cert_error_string [SSL::verify_result]]
        }
}
}

[root@ve1023:Active] ca2012  curl -ik https://172.28.19.79
HTTP/1.0 403 Forbidden
Server: BigIP
Connection: Keep-Alive
Content-Length: 32

application verification failure

[root@ve1023:Active] ca2012  curl -ik https://172.28.19.79 --cert certs/client.crt --key certs/client.key
HTTP/1.1 200 OK
Date: Mon, 16 Jan 2012 17:32:45 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: BROWSER=MOZILLA%20INTERNET_EXPLORER%20CHROME; path=/
Content-Type: text/html; charset=UTF-8

...