How to insert certificate serial number and ssl verify result to http header both ?

Sorry, it was the serial number...

 

 

HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]

 

 

Thanks

 

Rob

Does the serial number contain any colons? I wonder if the colons are confusing your webserver. As you may know, colons are used to delineate the header and value fields in the HTTP header. I don't think there are any restrictions on its use in the header value but this might be a implementation limitation of your webserver.

The serial number on the card looks to be a 6 digit hex value.

 

Example:

 

71 58 E0

 

 

The Big IP will not connect to the server if the serial number is included in the only Irule used.

 

 

I can make a separate Irule for every "HTTP::header insert" line and attach them all to a virtual server. This allows me to see the all the http header info except the serial number, but does not display the page (400 error). Is there any way to see what is going on during the transaction on the Big IP?

 

 

Thank you,

 

Rob

It would be helpful to see the complete request that's sent to the server to determine what's going on. Could you take a tcpdump on the server side and post the result.

 

 

Important

 

Before you post the result please be sure to remove/mask any sensitive information such as username, password, IP addresses, uri etc. that you would rather not share with us, our customers or our competitors that subscribe to this great list.

This is the iRule that we setup. Our serial numbers had special characters in it. Also, the serial number is separated by colons which IIS does not accept even though they are allowed by the RFC. I think IIS blocks them because they can be a security risk allowing execution of alternate streams. Our solution was to remove any characters that are not numeric or alpha a-f (all valid hex characters). The other feature we added was putting the users public certificate into a cookie. That way we will be able to populate the header infomation all the time.

MSPY

Rob, and anyone else that used this. If you copied the example that was here before you might be in danger if your bigip box is rebooted. In my example I used {} in the regular expression to replace all non alphanumeric characters with nothing. This works find when you load the irule into memory but once you try to load if from the file (ie boot) it does not like {} and will fail to load your configuration. I have updated my previous post by replacing the {} with "".

when CLIENTSSL_CLIENTCERT {
 session add ssl [SSL::sessionid] [SSL::cert 0]
}
when HTTP_REQUEST {
  if { [session lookup ssl [SSL::sessionid]] ne "" } {
    Encode the certificate into the z variable so it can be saved as a cookie
    set z [b64encode [session lookup ssl [SSL::sessionid]]]
    
    Set the headers
    HTTP::header insert ClientCertSubject [X509::subject [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertVersion [X509::version [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertIssuer [X509::issuer [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertValidFrom [X509::not_valid_before [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertValidUntil [X509::not_valid_after [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertExtensions [X509::extensions [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertWhole [X509::whole [session lookup ssl [SSL::sessionid]]]
    HTTP::header insert ClientCertHash [X509::hash [session lookup ssl [SSL::sessionid]]]
    Remove all non numbers or letters A-F
    regsub -all "\[^0-9A-Fa-f\]" [X509::serial_number [session lookup ssl [SSL::sessionid]]] "" test
    HTTP::header insert ClientCertSN $test
    session delete ssl [SSL::sessionid]
  } elseif { [HTTP::cookie exists ClientZ]} {
    HTTP::header insert ClientCertSubject [X509::subject [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertVersion [X509::version [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertIssuer [X509::issuer [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertValidFrom [X509::not_valid_before [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertValidUntil [X509::not_valid_after [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertExtensions [X509::extensions [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertWhole [X509::whole [b64decode [HTTP::cookie ClientZ]]]
    HTTP::header insert ClientCertHash [X509::hash [b64decode [HTTP::cookie ClientZ]]]
    regsub -all "\[^0-9A-Fa-f\]" [X509::serial_number [b64decode [HTTP::cookie ClientZ]]] "" test
    HTTP::header insert ClientCertSN $test
  } else {
    set z [b64encode ""]
  }
}
when HTTP_RESPONSE {
 if { [info exists z ]} {
  HTTP::header insert "Set-Cookie ClientZ=$z"
 }
}

Thank you very much for the help! I didn't initially think that the serial number had any special characters in it when viewing it through our card reader software. However, I was able to see the serial number (formatted with colons) after taking a few captures with ethereal and logging the Irule like Bl0ndie and tech support had suggested. The regsub code used by MSPY worked great!

 

 

Thanks again,

 

Rob

 

Rob, and anyone else that used this. If you copied the example that was here before you might be in danger if your bigip box is rebooted. In my example I used {} in the regular expression to replace all non alphanumeric characters with nothing. This works find when you load the irule into memory but once you try to load if from the file (ie boot) it does not like {} and will fail to load your configuration. I have updated my previous post by replacing the {} with "".

 

 

MSPY