Forum Discussion
Tidux_92112
Nimbostratus
NimbostratusHow to insert certificate serial number and ssl verify result to http header both ?
As above, I want to deliver ssl cert serial number to http server behind BIG-IP, and redirect the users who has no cert to an error page at same time.
It looks like that if I use two "sessio...
MS_PY_108764Nimbostratus
NimbostratusThis is the iRule that we setup. Our serial numbers had special characters in it. Also, the serial number is separated by colons which IIS does not accept even though they are allowed by the RFC. I think IIS blocks them because they can be a security risk allowing execution of alternate streams. Our solution was to remove any characters that are not numeric or alpha a-f (all valid hex characters). The other feature we added was putting the users public certificate into a cookie. That way we will be able to populate the header infomation all the time.
MSPY
Rob, and anyone else that used this. If you copied the example that was here before you might be in danger if your bigip box is rebooted. In my example I used {} in the regular expression to replace all non alphanumeric characters with nothing. This works find when you load the irule into memory but once you try to load if from the file (ie boot) it does not like {} and will fail to load your configuration. I have updated my previous post by replacing the {} with "".
when CLIENTSSL_CLIENTCERT {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
when HTTP_REQUEST {
if { [session lookup ssl [SSL::sessionid]] ne "" } {
Encode the certificate into the z variable so it can be saved as a cookie
set z [b64encode [session lookup ssl [SSL::sessionid]]]
Set the headers
HTTP::header insert ClientCertSubject [X509::subject [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertVersion [X509::version [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertIssuer [X509::issuer [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertValidFrom [X509::not_valid_before [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertValidUntil [X509::not_valid_after [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertExtensions [X509::extensions [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertWhole [X509::whole [session lookup ssl [SSL::sessionid]]]
HTTP::header insert ClientCertHash [X509::hash [session lookup ssl [SSL::sessionid]]]
Remove all non numbers or letters A-F
regsub -all "\[^0-9A-Fa-f\]" [X509::serial_number [session lookup ssl [SSL::sessionid]]] "" test
HTTP::header insert ClientCertSN $test
session delete ssl [SSL::sessionid]
} elseif { [HTTP::cookie exists ClientZ]} {
HTTP::header insert ClientCertSubject [X509::subject [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertVersion [X509::version [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertIssuer [X509::issuer [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertValidFrom [X509::not_valid_before [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertValidUntil [X509::not_valid_after [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertExtensions [X509::extensions [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertWhole [X509::whole [b64decode [HTTP::cookie ClientZ]]]
HTTP::header insert ClientCertHash [X509::hash [b64decode [HTTP::cookie ClientZ]]]
regsub -all "\[^0-9A-Fa-f\]" [X509::serial_number [b64decode [HTTP::cookie ClientZ]]] "" test
HTTP::header insert ClientCertSN $test
} else {
set z [b64encode ""]
}
}
when HTTP_RESPONSE {
if { [info exists z ]} {
HTTP::header insert "Set-Cookie ClientZ=$z"
}
}
