Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusCatch specific SSL errors/failures???
Hi there
One of the requirements that I've been given is to try and catch certain SSL errors and return a more friendly error page, rather than the browser default...
A couple of the examples that have come up so far are:
* A User attempting to connect to a VIP that is enforcing client SSL certficiates but doesn't have a valid Client SSL certificate installed...
* A user attempting to connect to a VIP with an expired Client SSL certificate
* A user connecting with a very old SSL Version or Cipher...
Now the last one is nice and easy as there's plenty of reference code on the Wiki...
However I'm struggling with 1 & 2 above...
Any pointers or ideas???
Cheers
Gav
GavinW_29074Damm... I've just spotted a gap in my rule...
We've also got certain sites that use SSL, but don't have a client certificate requirement... I've currently made no provision for this...
Is there a way of getting the 'peer-cert-mode' configured against the VIP SSL Profile???
Can then put a simple exception in for VIP's that have a 'peer-cert-mode' set to 'none' or where 'peer-cert-mode' isn't defined...
Cheers
Gavin
hooleylistCirrostratus
To request a client cert for specific URIs, you could:
set the client SSL cert mode to ignore
put the URIs you do or don't want to request a client cert for in a data group
in HTTP_REQUEST, check if the URI requires a client cert, set a variable to track that you've requested a client cert and then do:
Force renegotiation of the SSL connection with a cert requested set need_cert 1 SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiateOn the subsequent CLIENTSSL_CLIENTCERT event, check if the client presented a valid cert. If so, allow the request. If not, send a response and block the request.
I'm not sure if it helps or over complicates things, but I tested a related iRule for selective client cert requesting. But it includes OCSP validation and was done pre-10.1.0 when the SSL::cert was cached for us for the duration of the SSL session. Anyhow, here it is:
http://devcentral.f5.com/wiki/iRules.client_cert_request_by_uri_with_ocsp_checking.ashx
If all of this looks too complicated, you could try separating the content which requires a client cert to another virtual server and then use the iRule you've already written.
Aaron
- GavinW_29074Aaron
Thanks for the pointers... However it does appear to over complicate things...
However it did give me an idea for a solution... As we only need to change the ssl mode on a per vip basis, then we only need apply this rule to vips that need client cert verification... :-)
Cheers again
Gav