Forum Discussion
Ted_51200
Nimbostratus
NimbostratusClient SSL Cert Irule
I am looking to request a client ssl cert to happen only if a a spacific url is requested but ignore if not.
My Irule
when CLIENTSSL_CLIENTCERT {
set the_cert [SSL::...
Nicolas_Menant
Employee
EmployeeOk Thanks for your logging details !!
I checked the wiki and it seems you need to do an HTTP::collect ... i'm unsure why but rules1: Devcentral's wiki should be trusted 😄
when CLIENTSSL_HANDSHAKE {
log local0. "client SSL Handshake"
if { [SSL::cert count] > 0 } {
log local0. "client SSL Handshake...HTTP released"
HTTP::release
}
}
when CLIENTSSL_CLIENTCERT {
log local0. "start CLIENTSSL_CLIENTCERT"
set the_cert [SSL::cert 0]
set pkiSubject [X509::subject $the_cert]
set pkiIssuer [X509::issuer $the_cert]
log local0. "end CLIENTSSL_CLIENTCERT"
}
when HTTP_REQUEST {
log local0. "start HTTP_REQUEST, uri is [HTTP::uri]"
if { [HTTP::uri] starts_with "/SLFCSSOCollector/ssl/" } {
log local0. "URI /SLFCSSOCollector/ssl/ detected!"
if { [SSL::cert count] == 0} {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
log local0. "no certificate found... force SSL"
SSL::cert mode require
SSL::renegotiate
log local0. "end HTTP_REQUEST"
}
} else {
log local0. "certificate found!"
set the_cert [SSL::cert 0]
set pkiSubject [X509::subject $the_cert]
set pkiIssuer [X509::issuer $the_cert]
HTTP::header insert CLIENTSSL_Status [SSL::verify_result]
HTTP::header insert CLIENTSSL_StatusString [SSL::verify_result]]
HTTP::header insert CLIENTSSL_CN $pkiSubject
HTTP::header insert CLIENTSSL_SSLIssuer $pkiIssuer
HTTP::header insert CLIENTSSL_SSLClientCertSN [X509::serial_number $the_cert]
HTTP::header insert CLIENTSSL_Cert [b64encode $the_cert]
}
}This way it applies the recommandation from the wiki: Click here
