Forum Discussion
Dirk_Laan_18877
Nimbostratus
Nimbostratusif no cert rule
Hello,
We've created the following irule for checking the cert
If the cert is present everything works ok
But if the client has no cert the rule http redirect does not work
anyone ideas
It drives me crazy to get this working
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $ssl_cert $ssl_errstr]
session add ssl [SSL::sessionid] $ssl_stuff 180
log local0. "ClientSSl_Clienthandshake status: $ssl_errstr"
}
when HTTP_REQUEST {
set ssl_stuff [session lookup ssl [SSL::sessionid]]
set clcert [lindex $ssl_stuff 0]
set ssl_errstr [lindex $ssl_stuff 1]
set ssl_client_cert [lindex $ssl_stuff 2]
if { $ssl_errstr equals "ok" } {
log local0. "De ok-status is: $ssl_errstr"
pool portal-apps
HTTP::header remove "If-Modified-Since"
} elseif { $ssl_errstr equals "" } {
log local0. "no cert"
HTTP::redirect "https://xxxxxx/errors/cert_error.htm"
} else {
HTTP::redirect "https://xxxxx/errors/nocert.htm"
log local0. "cert error or wrong cert: $ssl_errstr"
}
}
6 Replies
hoolioCirrostratus
Which condition is met when a client makes a request without presenting a cert?
Can you post the log output from a request where a client does not present a cert?
Aaron- Dirk_Laan_18877(Chertsey ?)
Hello Aaron,
It looks that the rule is never hit when the client has no cert.
So also no logging available
Dirk - hoolioHi Dirk,
Yep, I'm in Chertsey.
If the client is making it to the VIP that you have the rule configured for, there should be logging for the HTTP_REQUEST event (regardless of whether the client is presenting the cert or not).
Are you testing by not sending a cert at all, or are you testing by sending a cert initially and then not sending a cert?
Is the connection reset or is passed to the portal-apps pool?
If you aren't seeing any logging whatsoever for requests where clients don't present certs, you might try restarting TMM (bigstart restart tmm) and retesting.
Aaron - Dirk_Laan_18877i've restarted tmm
still no logging
i,m testing with ie (sending a cert initially and then not sending a cert)
testing with firefox (testing by not sending a cert at all)
i get no logging
i both ways the connection is reset (saying page not found in a new window)
if I use a cert I see logging
Dirk - Dirk_Laan_18877I've changed the ssl profile:
changed client certificate from require to request
in this situation it looks ok
thanks
http://devcentral.f5.com/Default.aspxtabid=28&view=topic&forumid=5&postid=3561
Just to point out for everybody else though - the problem here is that you can't inspect the URI until after the SSL handshake has completed. If you have the cert mode set to require, then the handshake is not going to successfully complete without it, therefore you won't be able to inspect the URI to determine if it isn't needed.
However, when the cert mode is set to request, then the handshake merely requests the certificate. If it is not present, the connection is still allowed and the rule can then inspect the URI and determine if one is required. At that point, you could simply check if a certificate was present and reject the connection if one was required but not presented.
The only way to not request a certificate initially is to set the cert mode to none and then after inspecting the URI, upgrade the cert mode and force a renegotiation. Obviously, not the optimal way to do things if you have only two pages that don't require a certificate
Thanks
Dirk - hoolioThat makes sense. Thanks for posting the additional info.
