Forum Discussion
Robert_Decker_2
Nimbostratus
NimbostratusDoes HTTP::respond or HTTP::redirect work with OCSP?
Could anybody tell me if redirect or respond works with ssl ocsp AUTH_FAILURE and AUTH_ERROR? I've been able to make it work with LDAP, but not ssl ocsp. I get errors like:
01070151:3: Rule [something] error:
line 41: [command is not valid in current event context (AUTH_ERROR)] [HTTP::redirect "http://x.x.x.x"]
or
TCL error: Rule something AUTH_FAILURE - Operation not supported line 1 invoked from within HTTP::respond 401
Thank you,
Rob
- HTTP::respond should be a valid command under both AUTH_FAILURE and AUTH_ERROR.
Here's a link to an example of a rule doing just that, as a matter of fact: Click here
Perhaps you're missing the information following the status code?
Colin 
Robert_Decker_2Could you verify that the respond code works with ssl ocsp? It seems like the following Irule I am using will not work with HTTP::respond. (x.x.x.x is an IP on our production network) The Big IP os version is 9.2.3 Build 34.3.
Fri Apr 28 08:15:29 CDT 2006 tmm tmm[1042] 01220001 TCL error: Rule does_not_work AUTH_FAILURE - Operation not supported line 1 invoked from within HTTP::respond 302 Location https://x.x.x.x
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
}
when CLIENTSSL_HANDSHAKE {
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }
}
when CLIENTSSL_CLIENTCERT {
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
set id [SSL::sessionid]
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 302 Location "https://x.x.x.x"
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
log local0. "the cert is $the_cert"
if { $the_cert != ""} {
HTTP::header insert CertAuth "PASS"
HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]
HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]
HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]
HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]
HTTP::header insert SSLClientCert [b64encode $the_cert]
}
if { $the_cert == ""} {
HTTP::header insert CertAuth "Fail"
}
}
Thank you,
Rob- The authentication method that you're using shouldn't have any relevancy on which commands are available under which events in the iRule.
Have you tried passing a different response code with your respond command? If you look at the command I linked earlier in the post, there's a good example of passing a 401 response with a custom message.
Perhaps try this first to see if it will work in your setup, and then work from there?
Colin - Robert_Decker_2I tried a 401 response with the following log:
Fri Apr 28 11:52:49 CDT 2006 tmm tmm[1042] 01220001 TCL error: Rule does_not_work2 AUTH_FAILURE - Operation not supported line 2 invoked from within HTTP::respond 401
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
}
when CLIENTSSL_HANDSHAKE {
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }
}
when CLIENTSSL_CLIENTCERT {
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
set id [SSL::sessionid]
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
log local0. "the cert is $the_cert"
if { $the_cert != ""} {
HTTP::header insert CertAuth "PASS"
HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]
HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]
HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]
HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]
HTTP::header insert SSLClientCert [b64encode $the_cert]
}
if { $the_cert == ""} {
HTTP::header insert CertAuth "Fail"
}
}
Any thoughts? Is there a specific response to be used with ocsp?
Thank you,
Rob
