how to add client cert info to ocsp request

Well, since your queston is rather generic, I can't give any specific examples, but I can certainly point you to the commands that allow you to insert whatever client data you'd like.

 

 

Check out the X509 section of the iRules Wiki here: Click here as well as the SSL section here: Click here

 

 

HTH,

 

Colin

Sorry about the generic question... I will try to do better… I am trying to add the ssl cert fields as http headers to an ssl ocsp Irule that allows redirection. Below are the fields I would like to include:

 

 

HTTP::header insert SSLClientCertStatus $y

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $y]

 

HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $y]

 

HTTP::header insert SSLClientCertSubject [X509::subject $y]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $y]

 

 

I am not really sure where I need to add lines to create the cert fields. The Irule usually breaks and states that the variable doesn't exist every time I try to add lines from other Irules that deal with SSL certs.

 

 

In addition, I would like to redirect all expired and revoked certs, but it seems like the Big IP checks its local date and resets the connection before it even reaches the Irule (please correct me if I am wrong on this). I would like to include an "HTTP::repond 301 content http://x.x.x.x" or "Http::redirect http://x.x.x.x" line to AUTH FAILURE, AUTH_WANTCREDENTIAL, and AUTH_ERROR, but it seems like it will not work. I noticed the previous Irule on another post and am trying to make the redirection function work. Please let me know if there is a simpler way of doing this.

 

 

Any help would be greatly appreciated.

 

 

Thank you,

 

Rob

 

Below is the Irule I used to gather cert information. It works until I try to add the redirect/success statements and adding it to the session. It seems like adding that to the session overwrites the cert info. Any thoughts on how to avoid this?

 

 

Thank you,

 

Rob

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

 

 

when CLIENTSSL_HANDSHAKE {

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }

 

}

 

 

 

 

when CLIENTSSL_CLIENTCERT {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

SSL::handshake hold

 

set id [SSL::sessionid]

 

}

 

 

when AUTH_SUCCESS {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "success"

 

session add ssl $id $Z

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}

 

 

 

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

log local0. "the cert is $the_cert"

 

if { $the_cert != ""} {

 

HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]

 

HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]

 

HTTP::header insert SSLClientCert [b64encode $the_cert]

 

}

 

}