For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jklemm2000's avatar
jklemm2000
Icon for Nimbostratus rankNimbostratus
Apr 13, 2010

Client cert in header/OCSP Irule

I am in need of testing an irule as well as a bit of QA. Basically I am trying to not only pull the client address and insert it into a header but at the same time I am trying to direct traffic to an...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 13, 2010
Hi John,

 

 

Which LTM version are you running? If you're on 9.4.x, you could upgrade to 9.4.8HF3 and then use an iRule like this:

 

 

client_cert_request_by_uri_with_ocsp_checking

 

 

Else, if you stick with the rule you have, you might want to move the 'session add' command from CLIENTSSL_CLIENTCERT to AUTH_SUCCESS so you're only adding the client's details to the session table after they've presented a valid cert and had that cert verified against the OCSP server. Also, it doesn't look like you're checking the client cert against the root CA certificate. You could add security and save some work if you check the client cert is valid before trying the OCSP check. You can do this using SSL::verify_result. Lastly, several of the AUTH_* events have been deprecated in favor of the AUTH_result event.

 

 

Aaron