Forum Discussion
insert ssl client cert info to HTTP header
Hi,
in version 4.5, there is a easy to way to insert Client Cert info to HTTP header, how should the iRule write to achieve this features ? I checked the example in devcentral that confuse me ...
The following rule might work depending on how you have ssl configured:
when CLIENTSSL_CLIENTCERT {
set cert [X509::verify_cert_error_string [SSL::verify_result]]
}
when HTTP_REQUEST {
if { [info exists cert] } {
HTTP::header insert ClientCert $cert
}
}
However, we have noticed that some browsers (MSIE) only send the cert on one of the connections and open several sessions and thus the cert is not available on all the connections. The following rule handles that case by using an encrypted cookie to pass the cert header.
when RULE_INIT {
set ::key [AES::key 128]
}
when CLIENTSSL_CLIENTCERT {
session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set y [session lookup ssl $id]
if { $y ne "" } {
set z [b64encode [AES::encrypt $::key $y]]
session delete ssl $id
} elseif { [HTTP::cookie exists ClientZ] } {
HTTP::header insert ClientCert [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]]
} else {
set z [b64encode [AES::encrypt $::key none]]
}
}
when HTTP_RESPONSE {
if { [info exists z] } {
HTTP::header insert "Set-Cookie ClientZ=$z"
}
}
