Forum Discussion
NimbostratusClient authentication
when CLIENT_ACCEPTED {
set gotcert 0
SSL::profile client_cert_optional
}
when CLIENTSSL_CLIENTCERT {
set sslc [SSL::cert 0]
set ssle [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $sslc $ssle]
session add ssl [SSL::sessionid] $ssl_stuff 180
set gotcert 1
}
when CLIENTSSL_HANDSHAKE {
HTTP::release
}
when HTTP_REQUEST {
set request [HTTP::request]
set uri [HTTP::uri]
switch -regexp $uri {
^/(login|admin/login|etc.)/$ {
if { [SSL::cert count] == 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
set y [session lookup ssl [SSL::sessionid]]
set ssl_cert [lindex $y 0]
set ssl_ok [lindex $y 1]
if { $ssl_ok contains "ok" } {
HTTP::header insert ClientCertExtensions [X509::extensions $ssl_cert]
HTTP::header insert ClientCertHash [X509::hash $ssl_cert]
HTTP::header insert SSLCLientCertStatus $ssl_ok
HTTP::header insert "CLIENT_IP" [IP::client_addr]
HTTP::header insert "SSL_CLIENT_M_SERIAL" [X509::serial_number $ssl_cert]
HTTP::header insert "SSL_CLIENT_I_DN" [X509::issuer $ssl_cert]
HTTP::header insert "SSL_CLIENT_S_DN" [X509::subject $ssl_cert]
HTTP::header insert "SSL_CLIENT_I_DN_x509" [X509::issuer $ssl_cert]
HTTP::header insert "SSL_CLIENT_CERT" [X509::whole $ssl_cert]
HTTP::header insert "SSL_CLIENT_M_VERSION" [X509::version $ssl_cert]
HTTP::header insert "SSL_CLIENT_V_START" [X509::not_valid_before $ssl_cert]
HTTP::header insert "SSL_CLIENT_V_END" [X509::not_valid_after $ssl_cert]
HTTP::header insert "SSL_CLIENT_VERIFY" "SUCCESS"
log [X509::whole $ssl_cert]
}
}
}
}
}
Arnaud_LemaireEmployee
Hello, do you mean that if you don't refresh the request client side, the header won't be insert with certificate information after the SSL renegotiation ?
if that is the case, it may be because at the time you did the insert, there was no certificate presented.
what is your ssl profile parameter for client auth ? request?
- Arnaud_Lemaire
Hello, do you mean that if you don't refresh the request client side, the header won't be insert with certificate information after the SSL renegotiation ?
if that is the case, it may be because at the time you did the insert, there was no certificate presented.
what is your ssl profile parameter for client auth ? request?
- Kevin_Stewart
You're forcing a "step up" SSL renegotiation with the SSL::renegotiate command, which is happening at after the first HTTP request. Why not just set Require in the client auth section of the client SSL profile?
- Arnaud_Lemaire
Hi again, please have a look to this code : https://devcentral.f5.com/codeshare?sid=665.
As i said before, you can use the same even as you are collecting and during the event the ssl information is not present. you can modify your irule like in the this code share which is using the event HTTP_REQUEST_SEND, just before sending the request to server to add the header and ssl information.
