For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tidux_92112's avatar
Tidux_92112
Icon for Nimbostratus rankNimbostratus
Aug 09, 2005

How to insert certificate serial number and ssl verify result to http header both ?

As above, I want to deliver ssl cert serial number to http server behind BIG-IP, and redirect the users who has no cert to an error page at same time.     It looks like that if I use two "sessio...
application delivery
dev
devops
iRules
Tidux_92112's avatar
Tidux_92112
Icon for Nimbostratus rankNimbostratus
Aug 10, 2005
Thanks to Colin and unRuleY.

I have completed my rule based on unRuleY's advice.


when CLIENTSSL_CLIENTCERT {
   set ssl_stuff [list anything1 anything2]
   set ssl_cert [SSL::cert 0]
   set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
   lset ssl_stuff 0 $ssl_cert
   lset ssl_stuff 1 $ssl_errstr
   session add ssl [SSL::sessionid] $ssl_stuff 180
}
when HTTP_REQUEST {
   set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
   set ssl_cert2 [lindex $ssl_stuff2 0]
   set ssl_errstr2 [lindex $ssl_stuff2 1]
   if { $ssl_errstr2 eq "ok" } {
      HTTP::header insert SSLClientCertStatus $ssl_errstr2
      HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
   } else {
      HTTP::redirect http://192.168.0.64/error.html
   }
}

I have to change the syntax of "lset" and add "set" before "lset", becuse it didn't work if I wrote like this:


lset my_ssl_stuff {[SSL::cert 0] [X509::verify_cert_error_string [SSL::verify_result]]}
session add ssl [SSL::sessionid] $my_ssl_stuff 180

Thanks again, unRuleY, for your "lset&lindex" advice!