Forum Discussion

juergen_lampar1's avatar
juergen_lampar1
Icon for Nimbostratus rankNimbostratus
Jun 17, 2015

insert http-header value from SSL Certificate extentions

Hi, i need insert the email-address from CLient Certificate in the http-header to the real server. my irule write only empty header:

 

when CLIENTSSL_CLIENTCERT { set search_ext_attribute "email:" set search_ext_length [string length $search_ext_attribute] set the_cert [SSL::cert 0] if {[SSL::cert count] > 0}{ set ext_attribute [findstr [X509::extensions [SSL::cert 0]] $search_ext_attribute $search_ext_length " " session add ssl [SSL::sessionid] $ext_attribute } } when HTTP_REQUEST { set header_ext_email "x-http-email" if {[SSL::sessionid] ne ""}{ set ssllist [session lookup ssl [SSL::sessionid]] set ext_attribute [lindex ssllist 1] if { [SSL::cert count] > 0} { set the_cert [SSL::cert 0] HTTP::header insert $header_ext_email [getfield $ext_attribute "," 1] } } }

 

Why?

 

3 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 21, 2015

    have you tried basic debugging yourself? if not this is how i much approach this

     

    start with logging the X509::extensions to see if the email is available there

     

    then check if you filter it correctly to ext_attribute, i believe that line is missing a ]

     

    then why do you put it in a you got your email, which you can insert in your header without making it extra complex.

     

  • juergen_lampar1's avatar
    juergen_lampar1
    Icon for Nimbostratus rankNimbostratus
    Jun 29, 2015

    Hi,

    now is the irule running, but i have a other problem. Our Application need the http-header everytime, not only while new connect or ssl session ID changes. Have anyone a idea?

    when CLIENTSSL_CLIENTCERT {
    set search_cn_attribute "emailAddress="
    set search_cn_length [string length $search_cn_attribute]
    set cn_attribute ""
    if {[SSL::cert count] > 0} {
        set cert_subject [split [X509::subject [SSL::cert 0]] ","]
                foreach subject_attribute $cert_subject {
            if {$subject_attribute starts_with $search_cn_attribute} {
                if {$cn_attribute eq ""} {
                    append cn_attribute "[findstr $subject_attribute $search_cn_attribute $search_cn_length]"
               } else {
                                        append cn_attribute ","
                    append cn_attribute "[findstr $subject_attribute $search_cn_attribute $search_cn_length]"
               }
            }
        }
            session add ssl [SSL::sessionid] $cn_attribute
    } else {
        }
}
when HTTP_REQUEST {
    set header_cn_info "x-http-authinfo"
    if {![info exists cn_attribute]} {
        set cn_attribute ""
    }
    if {[HTTP::header exists $header_cn_info]} {
        HTTP::header remove $header_cn_info
    }
    HTTP::header insert $header_cn_info [getfield $cn_attribute "," 1]
}
    • Ronald_van_der3's avatar
      Ronald_van_der3
      Icon for Nimbostratus rankNimbostratus
      Jun 29, 2015
      Sounds like you have an issue with session handling in your application? I would recommend to fix this issue in the application instead of building a workaround (which can be 'mis'-used by other users) in LTM.