How to insert certificate serial number and ssl verify result to http header both ?

Ryan, Joe, tidux, anyone else -- have any of you gotten this to work? This is almost exactly what we're trying to do here, but have been summarily unsuccessful in accomplishing. Our code for the iRule looks like this (almost exactly like the code an earlier poster was trying to run, except we're not doing the redirect at the end):

 

 

when CLIENTSSL_CLIENTCERT {
  set ssl_cert [SSL::cert 0]
  set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
  set ssl_stuff [list $ssl_cert $ssl_errstr]
  session add ssl [SSL::sessionid] $ssl_stuff 180
}
when HTTP_REQUEST {
  set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
  set ssl_cert2 [lindex $ssl_stuff2 0]
  set ssl_errstr2 [lindex $ssl_stuff2 1]
  if { $ssl_errstr2 eq "ok" } {
    HTTP::header insert SSLClientCertStatus $ssl_errstr2
    HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
    HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2]
    HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2]
    HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
    HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2]
  } else {
    HTTP::header insert SSLClientCertError "Matt caught an error"
  }
}

 

 

I'm trying to see the results of this server-side on a ColdFusion page by doing a CFDUMP of the CGI collection, which is where the CERT_*, HTTPS_*, and HTTP_* variables currently show up. We very much need to get the CERT_SUBJECT to our back end web server. The statistics on the BigIP show that the iRule fired for event type HTTP_REQUEST, but I don't see any date getting to the back end. I'm guessing my lack of experience with Tcl isn't helping either... 😞

 

 

Thank you,

 

 

-matt