Forum Discussion
CirrostratusHTTP header insert with CN and for SHA1 thumbprint of the SSL certificate ?
Hi Any one help to edit the below irule to match my requirement, HTTP header insert with CN(Certificate name) and for SHA1 thumbprint of the SSL certificate to backend servers.
LTM VIP is HTTPS with only client SSL profile
Members are connected to LB with port 3000, No Server Side SSL profile.
when CLIENTSSL_HANDSHAKE
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
}
when HTTP_REQUEST
{
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != ""}
{
HTTP::header insert X-Client-Cert [X509::whole $the_cert]
}
}
Andy_McGrathCumulonimbus
Take it you want the client certificate data inserted as HTTP headers?
The following does this generally, you will need to pick the parts you want from the iRule X509 options:
when CLIENTSSL_CLIENTCERT priority 100 { if {[SSL::cert count] > 0} { set clientCert [X509::whole [SSL::cert 0]] set clientCertSubject [X509::subject [SSL::cert 0]] foreach field [ split $clientCertSubject ","] { if {$field starts_with "CN="} { set clientCommonName [getfield $field "=" 2] } } } } when HTTP_REQUEST { if {(info exists clientCert) && ($clientCert ne "") } { HTTP::header insert X-Client-Cert $clientCert } if {(info exists clientCommonName) && ($clientCommonName ne "") } { HTTP::header insert X-Client-CN $clientCommonName } }
IRONMANThanks, I modified it please check once
when CLIENTSSL_CLIENTCERT priority 100 {
if {[SSL::cert count] > 0} {
set clientCert [X509::whole [SSL::cert 0]]
set clientCertSubject [X509::subject [SSL::cert 0]]
set cert_hash [X509::hash [SSL::cert 0]]
foreach field [ split $clientCertSubject ","] {
if {$field starts_with "CN="} {
set clientCommonName [getfield $field "=" 2]
}
}
}
}
when HTTP_REQUEST {
if {(info exists clientCert) && ($clientCert ne "") } {
HTTP::header insert X-Client-Cert $clientCert
}
if {(info exists clientCommonName) && ($clientCommonName ne "") } {
HTTP::header insert X-Client-CN $clientCommonName
}
{
HTTP::header insert X-Client-CN $clientCommonName
}
}
- Andy_McGrath
when CLIENTSSL_CLIENTCERT priority 100 { if {[SSL::cert count] > 0} { set clientCert [X509::whole [SSL::cert 0]] set clientCertSubject [X509::subject [SSL::cert 0]] set clientCertHash [X509::hash [SSL::cert 0]] foreach field [ split $clientCertSubject ","] { if {$field starts_with "CN="} { set clientCommonName [getfield $field "=" 2] } } } } when HTTP_REQUEST { if {(info exists clientCert) && ($clientCert ne "")} { HTTP::header insert X-Client-Cert $clientCert } if {(info exists clientCommonName) && ($clientCommonName ne "")} { HTTP::header insert X-Client-CN $clientCommonName } if {(info exists clientCertHash) && ($clientCertHash ne "")} { HTTP::header insert X-Client-hash $clientCertHash } } - IRONMAN
Thanks for your time, I will test it and let you know result
- IRONMAN
I am bothering you,
I am getting in big error, when adding the rule to f5
01070151:3: Rule [/Common/rulename] error: /Common/rulename:15: error: [parse error: PARSE syntax 466 {syntax error in expression "(info exists clientCert) && ($clientCert ne "")": looking for close parenthesis}][{(info exists clientCert) && ($clientCert ne "")}]
/Common/rulename:19: error: [parse error: PARSE syntax 587 {syntax error in expression "(info exists clientCommonName) && ($clientCommonName ne "")": looking for close parenthesis}][{(info exists clientCommonName) && ($clientCommonName ne "")}]
/Common/Qvantel-BSSAP-SIT:23: error: [parse error: PARSE syntax 724 {syntax error in expression "(info exists clientCertHash) && ($clientCertHash ne "")": looking for close parenthesis}][{(info exists clientCertHash) && ($clientCertHash ne "")}]
- Andy_McGrath
Sorry didn’t have time to test and missed some [ ] out
when CLIENTSSL_CLIENTCERT priority 100 { if {[SSL::cert count] > 0} { set clientCert [X509::whole [SSL::cert 0]] set clientCertSubject [X509::subject [SSL::cert 0]] set clientCertHash [X509::hash [SSL::cert 0]] foreach field [ split $clientCertSubject ","] { if {$field starts_with "CN="} { set clientCommonName [getfield $field "=" 2] } } } } when HTTP_REQUEST { if {([info exists clientCert]) && ($clientCert ne "")} { HTTP::header insert X-Client-Cert $clientCert } if {([info exists clientCommonName]) && ($clientCommonName ne "")} { HTTP::header insert X-Client-CN $clientCommonName } if {([info exists clientCertHash]) && ($clientCertHash ne "")} { HTTP::header insert X-Client-hash $clientCertHash } }- IRONMAN
I got my application team saying, they expecting this Header names,
- X-SSL-Client-CN
- X-SSL-Client-SHA1
Should i change as below?
please verify once
when HTTP_REQUEST {
if {([info exists clientCert]) && ($clientCert ne "")} {
HTTP::header insert X-Client-Cert $clientCert
}
if {([info exists clientCommonName]) && ($clientCommonName ne "")} {
HTTP::header insert X-SSL-Client-CN $clientCommonName
}
if {([info exists clientCertHash]) && ($clientCertHash ne "")} {
HTTP::header insert X-SSL-Client-SHA1 $clientCertHash
}
}
- X-SSL-Client-CN