For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mathew_Loesch's avatar
Mathew_Loesch
Icon for Nimbostratus rankNimbostratus
Feb 01, 2017

Client certificate check. Redirect if none, continue if presented.

I need an iRule that checks for the existence of a Client SSL certificate. If no cert, redirect to request page. If present, continue to default pool. However, my example below always points me to...
application delivery
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 06, 2017
the problem of your original, next attempt and most recent code is that the $clientCRT variable is not getting initialized, if the user doesn't provide a certificate.

A fix for your problem would be to initialize the $clientCRT variable with value of 0 during CLIENT_ACCEPTED event and overwrite its value to 1 during CLIENTSSL_CLIENTCERT in the case that the client provides a certificate. In this case you will make sure that the HTTP_REQUEST event can savely query the current value of $clientCRT without raising a TCL exeption...

 

when CLIENT_ACCEPTED {
    set clientCRT 0
}
when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert 0] ne "" } then {
        set clientCRT 1
    }
}
when HTTP_REQUEST {
    if { $clientCRT } then {
        pool PoolName
    } else { 
        HTTP::redirect "URL" 
    }
}

 

Cheers, Kai