Forum Discussion
CLIENTSSL_HANDSHAKE event not triggered...?
I'm trying to create an iRule to authenticate user requests using SSL auth, but only when a specific URI is used. The iRule posted below is a simplified version of my 'full' iRule - and I get the same problem when using the simplified version too.
In short, when I attempt a connection to this VIP using the /secure_uri, the LTM prompts my browser for a client cert, which I present. However, when i check the logs on the LTM, the "Client cert is OK; releasing HTTP request." message is never logged, so I assume that after the 'SSL::renegotiate' the CLIENTSSL_HANDSHAKE event is never triggered...? Anyone have any clue why this is? I'm probably being stupid... but that's your reward for figuring this out... call me stupid ;-)
Thanks in advance.
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] != 0 } {
log "Client cert is OK; releasing HTTP request."
HTTP::release
pool pool_X_443
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/secure_uri" } {
log "Certificate required for: [HTTP::uri]"
if { [SSL::cert count] == 0} {
log "No cert found. Holding HTTP request until a client cert is presented..."
HTTP::collect
set session_flag 1
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
else {
log "No certificate needed for: [HTTP::uri]"
SSL::disable serverside
pool pool_Y_80
}
}
- Have you tried moving the log statement outside of the if brackets? It might clear up whether or not it's an issue with the event firing, or your if comparison not being met...
Colin - Thanks for the advice. I tried moving the log statement as you suggested and it proves that the CLIENTSSL_HANDSHAKE event is not triggered. I also added a log statement immediately after the 'SSL::renegotiate'. I now see the following in the logs:
HTTP_REQUEST: No cert found.
HTTP_REQUEST: renegotiated
And nothing else. On the client side (my browser), I am prompted for a cert. I supply one and then get no response.
Any ideas? - That's pretty interesting. You're not seeing the CLIENTSSL_HANDSHAKE event occurring even after the renegotiate command fires? Have you tried switching that to a CLIENTSSL_CLIENTCERT event to see if a cert is being added to the cert chain at all? It could be that the handshake is failing for some reason, but that seems odd.
Colin - Hi Colin, I've tried your suggestion, and moved forward somewhat now. The problem I'm now having is that if I set the ClientSSL Profile to 'request' or 'require' client cert, it works for the 'secure' URI's. However, it also requests a cert for the 'insecure' URI's - but we do not want 'insecure' users prompted for a cert at all. If I set the ClientSSL Profile to 'ignore' then neither the 'secure' URI's or the 'insecure' URI's work.
Any ideas? (thanks for your help with this - it's much appreciated) 
xunil321_122934Nimbostratus
@Stephen:
Did you find a solution?
Have here the same situation with TLSv1.2 enabled at client side which want to access
specific URI requiring client cert
