Forum Discussion
Rodolphe_AUBINE
Nimbostratus
NimbostratusFront location replaced by an irule works on Firefox but not on IE...
Hi,
You will see below an irule written in order to replace a location defined on a front server for a url /appli/verifyx509.jsp which activates client certificate authentication.
This irule works on Firefox browser 3.6 but not on IE 6, the HTTP::redirect seems to be made before.
My problem is without the HTTP::redirect, the client certificate authentication works well, but the certificate is never placed in the header of the request.
Could you give me some help ? I think I forgot something...
IRULE :
when CLIENT_ACCEPTED {
set session_flag 0
}
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] != 0 } {
HTTP::release
}
}
when HTTP_REQUEST {
if{ [HTTP::uri] contains "verifyx509.jsp" } {
if { [SSL::cert count] == 0 } {
HTTP::collect
set session_flag 1
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
if {[SSL::cert count] == 1} {
HTTP::header insert "X509CertificatePresent" "true"
HTTP::header insert "X509Certificate" [b64encode [SSL::cert 0]]
}
else {
HTTP::redirect /appli/verifyx509.jsp
}
}
}
hoolioCirrostratus
Hi Rodolphe,
I ran into a similar situation where IE6 was still re-using the same SSL session ID even after re-negotiation. You should be able to prevent this by adding SSL::session invalidate just before you call SSL::renegotiate.
http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__session.html
Aaron