Help with IRule Client Auth Certs

Question

I have an IRule below that I'm working on.  My intent is to enforce client certificate authentication on two URI's only and if any client certificate errors should result in a redirect to a custom error page.  The VS has a SSL profile set to 'ignore' client certificates.  This rule successfully processes the first two 'If' statements.  The problem is that the custom error page is not displayed.  Any help would be appreciated. when HTTP_REQUEST {
	if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
			return
	} else {

if { ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
		SSL::session invalidate
&nbsp;&nbsp;&nbsp;&nbsp;SSL::authenticate always
&nbsp;&nbsp;&nbsp;&nbsp;SSL::authenticate depth 9
&nbsp;&nbsp;&nbsp;&nbsp;SSL::cert mode require
&nbsp;&nbsp;&nbsp;&nbsp;set cmd "SSL::profile /Common/require_clientssl"
&nbsp;&nbsp;&nbsp;&nbsp;eval $cmd
&nbsp;&nbsp;&nbsp;&nbsp;SSL::renegotiate
&nbsp;	} else {
if {[SSL::verify_result] == 0 }{
			return			
&nbsp;&nbsp;} else {
HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
}
}
}
}

I have another rule that meets two of the three requirements.  With the VS SSL profile set to 'request' client certs.  This rule does provide a custom error page when Cert errors occur on the two named URI's.  But it also results in a certificate prompt for users who access other URI's due to the default SSL profile setting.when HTTP_REQUEST {
if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
			return
	} else {
if {[SSL::verify_result] == 0 }{
			return			
&nbsp;&nbsp;} else {
HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
}
}
}

simon_blakely · Accepted Answer

Your HTTP::respond 302 is in the else clause of your second if statement.It is never reached.when HTTP_REQUEST {
	if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
                        # This path has no client-authentication
			return
	} else {
      # perform client-authentication if the uri matches
      if { ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
		SSL::session invalidate
        SSL::authenticate always
        SSL::authenticate depth 9
        SSL::cert mode require
        set cmd "SSL::profile /Common/require_clientssl"
        eval $cmd
        SSL::renegotiate
 	  } else {
        # we cannot execute this path because of the first *if* statement
        if {[SSL::verify_result] == 0 }{
			return			
        } else {
          HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
        }
      }
    }
}Try something likewhen HTTP_REQUEST {
	if { not ([HTTP::uri] starts_with "/uri1") || ([HTTP::uri] starts_with "/uri2")} {
      # we don't need to renegotiate with client-authentication
	  return
	} else {
      # we do need to renegotiate with client-authentication
  	  SSL::session invalidate
      SSL::authenticate always
      SSL::authenticate depth 9
      SSL::cert mode require
      set cmd "SSL::profile /Common/require_clientssl"
      eval $cmd
      SSL::renegotiate
      # check if renegotiation with client-auth succeeded
      if {[SSL::verify_result] == 0 }{
		return			
      } else {
        HTTP::respond 302 Location "http://error.com/error.html" Cache-Control No-Cache Pragma No-Cache
      }
	}
}but I haven't tested this to check ...

Forum Discussion

Help with IRule Client Auth Certs

Recent Discussions

Protect game servers

Irules Editor

SSL Server Profile

VAPT or APT tools scan prevention

High CPU utilization (100%).

Related Content

Pass client cert based on POST data

SSL cert

BIG IP 201 Cert

iRule to hide URI from client side

Client cert authentication and TLS1.3

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS