how to forward an optinional requested cleint cert in header

Hi Ladies & Gentlemen!

 

 

I am beginner with BigIp and has to solve the next problem.

 

The Client X.509 cert should be requested, and if existing it has to be forwarded via http to the backend application. In case of forwarded correct cert user auth is done, otherwise login and password will be required.

 

Client Cert should be requested only once an forwarded in header.

 

 

My iRules shows, that SSL negitiation happens two time. The first gets the cert, the second removes it immediatelly.

 

 

Does anybody have a hint for me?

 

 

Here my iRules and the logs :

 

 

snip

 

when CLIENT_ACCEPTED {

 

Triggered when a client has established a connection.

 

log LOCAL0.warn "IN CLIENT_ACCEPTED"

 

set certState 0

 

set clientCrt "";

 

set clientCN "";

 

}

 

 

when CLIENTSSL_HANDSHAKE {

 

Triggered when ?

 

if { [SSL::cert count] > 0 }{

 

log LOCAL0.warn "IN CLIENTSSL_HANDSHAKE; client has a cert"

 

}

 

else {

 

log LOCAL0.warn "IN CLIENTSSL_HANDSHAKE; no client cert detected"

 

}

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

Triggered when the system adds an SSL client certificate to the client certificate chain.

 

if { [SSL::cert count] > 0 }{

 

log LOCAL0.warn "IN CLIENTSSL_CLIENTCERT; client has a cert"

 

set clientCrt [SSL::cert 0];

 

set clientCN [X509::subject $clientCrt];

 

log LOCAL0.warn [concat "CN:= " $clientCN];

 

}

 

else {

 

log LOCAL0.warn "IN CLIENTSSL_CLIENTCERT; no client cert detected"

 

log LOCAL0.warn [concat "CN:= " $clientCN];

 

}

 

}

 

 

when HTTP_REQUEST {

 

Triggered when the system fully parses a complete client request header.

 

log LOCAL0.warn "START HTTP_REQUEST";

 

persist cookie insert lmn-cookie

 

use pool http_TE7

 

log LOCAL0.warn "START HTTP_REQUEST in Appl";

 

 

log LOCAL0.warn [concat "--CN:= " $clientCN];

 

 

if { [SSL::cert count] > 0 }{

 

log LOCAL0.warn "IN extra , client has cert";

 

 

set clientCrtMas [SSL::cert 0];

 

HTTP::header insert "SSL_CLIENT_CERT" [X509::whole $clientCrtMas];

 

log LOCAL0.warn "IN HTTP_REQUEST; cert HEADER SSL_CLIENT_CERT inserted";

 

} else {

 

log LOCAL0.warn "IN extra , client has NO cert, then NO HEADER";

 

log LOCAL0.warn [concat "CN:= " $clientCN];

 

}

 

}

 

the logs :

 

Fri Jun 30 01:00:21 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENT_ACCEPTED

 

Fri Jun 30 01:00:27 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENT_ACCEPTED

 

Fri Jun 30 01:00:35 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENTSSL_CLIENTCERT; client has a cert

 

Fri Jun 30 01:00:35 CEST 2006 tmm tmm[695] Rule sp_7 : CN:= /DC=de/CN=People/serialNumber=2446372846/CN=Testuser910

 

Fri Jun 30 01:00:35 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENTSSL_HANDSHAKE; client has a cert

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENT_ACCEPTED

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : IN CLIENTSSL_HANDSHAKE; no client cert detected

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : START HTTP_REQUEST in Appl

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : --CN:=

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : IN extra , client has NO cert, then NO HEADER

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : CN:=

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : START HTTP_REQUEST in Appl

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : --CN:=

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : IN extra , client has NO cert, then NO HEADER

 

Fri Jun 30 01:00:39 CEST 2006 tmm tmm[695] Rule sp_7 : CN:=

 

end of logs

 

 

Best regrads

 

 

Soponyai