Forum Discussion

William_Them_99's avatar
William_Them_99
Icon for Nimbostratus rankNimbostratus
Jul 20, 2005

Client Certificates at the Backend?

We have successfully configured the BIGIP device to require client certificates - it accepts the certs and passes the traffic through. Now, we need to be able to read and manipulate the client cert a...
application delivery
dev
devops
iRules
KevinB_49644's avatar
KevinB_49644
Icon for Nimbostratus rankNimbostratus
Jul 06, 2007
Here is the irule that I have working to get me the certificate information. It does pass it to Oracle in PEM format.

 

I will post my Java solution to dealing with this next

 

 

when CLIENTSSL_CLIENTCERT {

 

if { [SSL::verify_result] } {

 

log LOCAL0.warn "Client cert didn't verify, openssl code=[SSL::verify_result]"

 

reject

 

}

 

}

 

 

when HTTP_REQUEST {

 

if { [HTTP::header exists SSL_Client_Cert] } {

 

log LOCAL0.warn "removed inbound cert header - possible attack"

 

reject

 

}

 

 

if { [SSL::cert count] != 0 } {

 

set subject { }

 

lappend subject [X509::subject [SSL::cert 0]]

 

HTTP::header replace SSL_Client_Cert [X509::whole [SSL::cert 0]]

 

HTTP::header replace SSL_Client_Cert_Chain_1 [X509::whole [SSL::cert 1]]

 

}

 

}