For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_Jernigan_'s avatar
Jason_Jernigan_
Icon for Nimbostratus rankNimbostratus
Mar 06, 2006

Client SSL Insert

I've got a site using client SSL cert inserted to the header for authentication with the backend web server. The irule is as follows.     when CLIENTSSL_CLIENTCERT {   if { [SSL::cert cou...
application delivery
dev
devops
iRules
Jason_Jernigan_'s avatar
Jason_Jernigan_
Icon for Nimbostratus rankNimbostratus
Mar 06, 2006
I added some logging to figure out what was going on. Below is the irule with the logging enabled.

 

 

when CLIENTSSL_CLIENTCERT {

 

log "begining"

 

log "ssl cert count = + [SSL::cert count]"

 

if { [SSL::cert count] > 0 } {

 

session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] 450

 

log "session ID: + [SSL::sessionid] + [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole]"

 

log "certfields lookup = [session lookup ssl [SSL::sessionid]]"

 

}

 

}

 

 

 

when HTTP_REQUEST {

 

log "http_request sessionid= + [SSL::sessionid]"

 

set certfields [session lookup ssl [SSL::sessionid]]

 

log "certfields before if + $certfields"

 

if { $certfields != "" } {

 

HTTP::header insert $certfields

 

}

 

log "Ending"

 

}

 

 

Attached are the logs that this irule produced. The section of logs labeled incorrect is when the default pool was not the same pool that the next irule chose. You can see by looking at the logs that the session lookup command fails under the HTTP_REQUEST section but works fine in the CLIENTSSL_CLIENTCERT section.