For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Billy_chuang_16's avatar
Billy_chuang_16
Historic F5 Account
Jun 15, 2005

insert ssl client cert info to HTTP header

Hi,   in version 4.5, there is a easy to way to insert Client Cert info to HTTP header, how should the iRule write to achieve this features ? I checked the example in devcentral that confuse me ...
application delivery
dev
devops
iRules
unRuleY_95363's avatar
unRuleY_95363
Historic F5 Account
Jun 21, 2005
The following rule might work depending on how you have ssl configured: 

 
 when CLIENTSSL_CLIENTCERT { 
    set cert [X509::verify_cert_error_string [SSL::verify_result]] 
 } 
 when HTTP_REQUEST { 
    if { [info exists cert] } { 
       HTTP::header insert ClientCert $cert 
    } 
 }

However, we have noticed that some browsers (MSIE) only send the cert on one of the connections and open several sessions and thus the cert is not available on all the connections. The following rule handles that case by using an encrypted cookie to pass the cert header. 

 
 when RULE_INIT { 
    set ::key [AES::key 128] 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
    session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180 
 } 
  
 when HTTP_REQUEST { 
    set id [SSL::sessionid] 
    set y [session lookup ssl $id] 
    if { $y ne "" } { 
       set z [b64encode [AES::encrypt $::key $y]] 
       session delete ssl $id 
    } elseif { [HTTP::cookie exists ClientZ] } { 
       HTTP::header insert ClientCert  [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]] 
    } else { 
       set z [b64encode [AES::encrypt $::key none]] 
    } 
 } 
  
 when HTTP_RESPONSE { 
    if { [info exists z] } { 
      HTTP::header insert "Set-Cookie ClientZ=$z" 
    } 
 }