Forum Discussion
icherif_189553
Nimbostratus
Nimbostratus[F5 LTM 11.4.1 HF9][2-Way-auth] CLIENTSSL_CLIENTCERT is not triggered in the Irule
Hello all,
I am trying to implement an Irule to filter CN names. below the irule :
when RULE_INIT {
set static::org "O=OPS"
log local0.alert "RULE_INIT"
}
when CLIENTSSL_CLIENTCERT {
...
Kevin_Davies_40
Nacreous
NacreousI have recently dealt with this issue. What you are dealing with is SSL abbreviated handshake. After the client cert is validated, future connections can present the SSL session id to say they belong to an existing session and this uses an abbreviated handshake which no longer requires client to be validated again.
This means CLIENTSSL_CLIENTCERT will only be triggered on the initial connection and subsequent connections will not trigger the event. You can be secure in the fact they are still the same client.
Note: This causes problems when you need to include information from the SSL negotiation in future HTTP requests. Future connections will not have access to the information in the original connection as they do not share variable scope. In this case you need to store shared info in session tables using the SSL session id as the key. Then in HTTP you can retrieve it from the table as the session id will still be associated with subsequent connection and can be retrieved using [SSL::sessionid].