Forum Discussion

meverett_60507's avatar
Icon for Nimbostratus rankNimbostratus
Sep 29, 2010

ClientSSL_ClientCert Event




I have been working on an irule for client authentication that validates the CN field and inserts certain fields from the X.509 certificates in the HTTP headers. There are numberous examples and codeshare samples (thanks everyone) that I used as a reference. I have created a rule and have it working exactly as expected for one application in production. However, I have another application in QA that I have trouble with.



One of business partners is verifying a new web service. When the developer tests using the utilities on her own machine (WebSphere as the platform) the rules works properly. the LTM requests the cert and processes as the iRule dictates. However, if she runs the test from a QA server the rule never executes the CLIENTSSL_CLIENTCERT event, and my code returns a HTTP 401 error code (as expected) b/c I never receive an SSL cert.



It is my understanding the CLIENTSSL_CLIENTCERT event is fired whenver a client certificate is requested -- whether one is provided or not. So, if that is the case can anyone think of a reason why the CLIENTSSL_CLIENTCERT event would fire for one client, but not another. Virtual Server and iRule is the same for both clients?


Any help would be appreciated


1 Reply

  • I remember a bug in some versions of 9.4.x where CLIENTSSL_CLIENTCERT wouldn't always fire. There was a hotfix for 9.4.x which corrected the issue in my testing. However, after upgrading to 10.1, I think the issue recurred.



    Which LTM version are you running?



    Maybe the difference you're seeing between the production and QA LTM's is due to the advertised CA bundle configured on the two? If the client doesn't have a client cert from any CA in the advertised CA bundle LTM sends, it won't prompt the user to select a client cert (or send one automatically). Or have I misunderstood your scenario?