Forum Discussion
Tidux_92112
Nimbostratus
NimbostratusHow to insert certificate serial number and ssl verify result to http header both ?
As above, I want to deliver ssl cert serial number to http server behind BIG-IP, and redirect the users who has no cert to an error page at same time.
It looks like that if I use two "session add ssl" in iRules:
session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
session add ssl [SSL::sessionid] [SSL::cert 0] 180
the 2nd one will replace the 1st one. How to make the two things valid together?
17 Replies
- Tidux,
I could use a little clairification as to what it is you're trying to accomplish. Are you trying to add the ssl cert serial number if there is one, and if not, redirect the users without SSL to an error page?
If this is the case you'd use an if statement in your rule, rather than just setting the sessionid twice.
If you could provide some clarification and further details as to what you're attempting to accomplish I'd be glad to help.
Thanks,
-Colin - Just as a general note, if you want to store more than one thing in the session table, you would first need to build a list containing each thing. Then store the list in the session table.
In your example, you could do this:lset my_ssl_stuff {[SSL::cert 0] [X509::verify_cert_error_string [SSL::verify_result]]} session add ssl [SSL::sessionid] $my_ssl_stuff 180
Then when you extract the value from the session table you would use the command "lindex" to extract the appropriate portion. Ie:set my_ssl_stuff [session lookup ssl [SSL::sessionid]] set ssl_cert [lindex $my_ssl_stuff 0] set ssl_errstr [lindex $my_ssl_stuff 1] 
Tidux_92112Thanks to Colin and unRuleY.
I have completed my rule based on unRuleY's advice.when CLIENTSSL_CLIENTCERT { set ssl_stuff [list anything1 anything2] set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] lset ssl_stuff 0 $ssl_cert lset ssl_stuff 1 $ssl_errstr session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] } else { HTTP::redirect http://192.168.0.64/error.html } }
I have to change the syntax of "lset" and add "set" before "lset", becuse it didn't work if I wrote like this:lset my_ssl_stuff {[SSL::cert 0] [X509::verify_cert_error_string [SSL::verify_result]]} session add ssl [SSL::sessionid] $my_ssl_stuff 180
Thanks again, unRuleY, for your "lset&lindex" advice!
Ryan_Segura_110I modified the example to show some more client SSL variables, does this sound right?when CLIENTSSL_CLIENTCERT { set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2] HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2] HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2] } else { HTTP::redirect http://192.168.0.64/error.html } }- Looks good to me. Have you tried it out?
-Joe - Ryan_Segura_110I guess I have some more questions.
Does this actually authenticate the client cert?
By doing this?
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] - Matthew_Newby_2Ryan, Joe, tidux, anyone else -- have any of you gotten this to work? This is almost exactly what we're trying to do here, but have been summarily unsuccessful in accomplishing. Our code for the iRule looks like this (almost exactly like the code an earlier poster was trying to run, except we're not doing the redirect at the end):
when CLIENTSSL_CLIENTCERT { set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2] HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2] HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2] } else { HTTP::header insert SSLClientCertError "Matt caught an error" } }
I'm trying to see the results of this server-side on a ColdFusion page by doing a CFDUMP of the CGI collection, which is where the CERT_*, HTTPS_*, and HTTP_* variables currently show up. We very much need to get the CERT_SUBJECT to our back end web server. The statistics on the BigIP show that the iRule fired for event type HTTP_REQUEST, but I don't see any date getting to the back end. I'm guessing my lack of experience with Tcl isn't helping either... 😞
Thank you,
-matt - Tidux_92112Maybe you should add some "log" to verify the data that BIP inserted into HTTP header, like this:
if { $ssl_errstr2 eq "ok" } { set sn [X509::serial_number $ssl_cert2] log $sn HTTP::header insert SSLClientCertSN $sn ....
Then, you can examine the content of $sn (client certificate serial number) in BIP's log. You will find where the problem is. 
Robert_Decker_2I was hoping somebody could help me out with this. I would like to send the same certificate information to our web servers. My main problem is that I receive a “page cannot be displayed” 400 bad request error with the following code:
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $ssl_cert $ssl_errstr]
session add ssl [SSL::sessionid] $ssl_stuff 180
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
HTTP::header insert SSLClientCertStatus $ssl_errstr2
HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2]
HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2]
HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2]
}
I can see the client certificate information while monitoring the server using ethereal, but can’t seem to get the web page to display properly.
Thank you for your help,
Rob- Robert_Decker_2I was able to make the Irule work after I dropped the following line:
HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
Is there a special format for the subject line or known issues with that certain field?
Thank you,
Rob
