Forum Discussion
jklemm2000
Nimbostratus
NimbostratusClient cert in header/OCSP Irule
I am in need of testing an irule as well as a bit of QA. Basically I am trying to not only pull the client address and insert it into a header but at the same time I am trying to direct traffic to an OCSP responder. I have compiled this Irule and need to see if this is workable?
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set client_add [IP::client_addr]
session add uie "msrs_$client_add" $ssl_cert 900
set tmm_auth_ssl_ocsp_done 0
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
AUTH::abort $tmm_auth_ssl_ocsp_sid
set tmm_auth_ssl_ocsp_sid 0
if {$tmm_auth_ssl_ocsp_done == 0} {
reject
}
}
}
when HTTP_REQUEST {
if { (! [HTTP::cookie exists ClientZ]) || ([HTTP::cookie value ClientZ] equals "")} {
set client_add [IP::client_addr]
set cert [session lookup uie "msrs_$client_add"]
if { $cert ne "" } {
set certStr [X509::whole $cert]
regsub -all "\n" $certStr "" certStr
set certStr [string trimleft $certStr "-----BEGIN CERTIFICATE-----"]
set certStr [string trimright $certStr "-----END CERTIFICATE-----"]
if { $certStr equals "" } {
session delete uie "msrs_$client_add"
}
} else {
set certStr [HTTP::cookie ClientZ]
}
}
if { [info exists certStr] } {
if { $certStr ne "" } {
HTTP::header insert SSL-Client-Cert $certStr
}
}
}
when HTTP_RESPONSE {
if { [info exists certStr] } {
HTTP::header insert "Set-Cookie ClientZ=$certSTR; Path=/"
}
}
hoolioCirrostratus
Hi John,
Which LTM version are you running? If you're on 9.4.x, you could upgrade to 9.4.8HF3 and then use an iRule like this:
client_cert_request_by_uri_with_ocsp_checking
Else, if you stick with the rule you have, you might want to move the 'session add' command from CLIENTSSL_CLIENTCERT to AUTH_SUCCESS so you're only adding the client's details to the session table after they've presented a valid cert and had that cert verified against the OCSP server. Also, it doesn't look like you're checking the client cert against the root CA certificate. You could add security and save some work if you check the client cert is valid before trying the OCSP check. You can do this using SSL::verify_result. Lastly, several of the AUTH_* events have been deprecated in favor of the AUTH_result event.
Aaron
jklemm2000I will rewrite this to move the session add. I am currently running 10.1 but created this irule on version 9.4.5- hoolioIn 10.1, you don't need to add the cert details to the session table as LTM does this for you automatically. I haven't had a customer need client cert checking in 10.1 so far, so I haven't had time to play around with it yet. For details on this you can check this post:
Details for new client cert functionality in v10.1
Aaron