Certificate Authentication issue with Firefox 4

Hi

 

We have a SSL site. Once you have connected, you must get authenticated to access a a part of the site. You can be authenticated with user and password, but you can also choose to be authenticated with a certificate.

 

To do that whe have this iRule (based on an example found in devcentral):

 

 

 

Initialize the variables on new client tcp session.

 

when CLIENT_ACCEPTED {

 

set collecting 0

 

set renegtried 0

 

}

 

 

Runs for each new http request

 

when HTTP_REQUEST {

 

 

set uri [string tolower [HTTP::uri] ]

 

if { $renegtried == 0

 

and [SSL::cert count] == 0

 

and ([HTTP::uri] matches_regex {^/certauth.jsp$}) } {

 

HTTP::collect

 

set collecting 1

 

SSL::cert mode request

 

SSL::renegotiate

 

}

 

}

 

 

After a handshake, we log that we have tried it. This is to prevent

 

constant attempts to renegotiate the SSL session. I'm not sure of this

 

feature; this may in fact be a mistake, but we can change it at any time.

 

It is transparent if we do: the connections only work slower. It would,

 

however, make BigIP detect inserted smartcards immediately. Right answer

 

depends on the way the feature is used by applications.

 

when CLIENTSSL_HANDSHAKE {

 

if { $collecting == 1 } {

 

set renegtried 1

 

Release allows the request processing to occur normally from this

 

point forwards. The next event to fire is HTTP_REQUEST_SEND.

 

HTTP::release

 

}

 

}

 

 

Inject headers based on earlier renegotiations, if any.

 

when HTTP_REQUEST_SEND {

 

if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{

 

clientside {

 

HTTP::header remove "WL-Proxy-Client-Cert"

 

 

if certificate is available, send it. Otherwise, send a header

 

indicating a failure, if we have already attempted a renegotiate.

 

catch {SSL::cert count } numbercerts

 

if { $numbercerts > 0 } {

 

set client_cert [SSL::cert 0]

 

 

HTTP::header insert "WL-Proxy-Client-Cert " [X509::whole [SSL::cert 0]]

 

 

HTTP::header insert "WL-Proxy-Client-Cert " [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0]] ] ] "" ]

 

log local0. "\[HTTP::header value WL-Proxy-Client-Cert\]: [HTTP::header value WL-Proxy-Client-Cert]"

 

foreach aHeader [HTTP::header names] {

 

log local0. "[IP::client_addr]:[TCP::client_port]: $aHeader \

 

([string length [HTTP::header value $aHeader]]): [HTTP::header value $aHeader]"

 

}

 

} elseif { $renegtried == 1 } {

 

This header has some debug value: if the FAILED header is not

 

present, BigIP is probably not configured to do client certs

 

at all.

 

HTTP::header insert "WL-Proxy-Client-Cert_FAILED" "true"

 

}

 

}

 

} else {

 

log local0. "\$result: $result. Redirecting unencrypted request."

 

}

 

}

 

 

After the upgrade to 10.2 the cert authentication stopped working until we enabled ssl renegotiation.Now we are suffering the same problem with Firefox 4: the certificate authentication doesn't work until we enable SSL Renegotation in the browser settings (https://support.mozilla.com/es/ques...wer-158847).

 

 

Is there any workaround? Is there any way to keep the certificate authentication without enabling SSL Renegotiation?

 

 

Thank you in advance