Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

zafer's avatar
zafer
Icon for Nimbostratus rankNimbostratus
Dec 28, 2009

InsertCertInServerHeaders

Hello i tested this rule, but it does not check empty Certificate from IE. i tested with Firefox and i try send Empty certificate to the vip, Redirect works properly but when i tested with IE i...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 29, 2009
Zafer,

Can you clarify how you were testing? Do you have the client SSL profile client cert option set to require or request? What type of test did you try when you encountered the issue?

Can you try this version of the client cert header insert rule. I think it covers more cases than the original version: 

 
  client_cert_header_insert_rule 
  
 when CLIENTSSL_CLIENTCERT { 
  
     Check if client presented at least one cert 
    if {[SSL::cert count] > 0}{ 
  
        Insert the following fields in the session table with a timeout of 7200 seconds: 
          Do the processing now as opposed to in HTTP_REQUEST as there  
          can be many HTTP requests using the same SSL session ID 
        
          Index - item 
          0 - base64 encoding of the client SSL cert  
          1 - serial number of the cert 
          2 - the verification status text for the client cert against the client SSL profile's root CA cert 
       session add ssl [SSL::sessionid] [list \ 
          [SSL::verify_result] \ 
          [b64encode [SSL::cert 0]] \ 
          [X509::serial_number [SSL::cert 0]] \ 
       ] 7200 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Added session data for cert. Status:\ 
          [X509::verify_cert_error_string [lindex [session lookup ssl [SSL::sessionid]] 0]] with key [SSL::sessionid]" 
    } 
 } 
  
 when HTTP_REQUEST { 
  
     Check if SSL session ID is in the cache (SSL::sessionid returns 64 zeroes if it's not) 
    if {[SSL::sessionid] ne "0000000000000000000000000000000000000000000000000000000000000000"}{ 
  
        Get the session table entry (a TCL list) for this session ID 
       set session_data [session lookup ssl [SSL::sessionid]] 
  
        Check if the first element of the session table entry for this session ID is 0 (status for successful cert validation) 
       if {[lindex $session_data 0] == 0}{ 
  
          log local0. "[IP::client_addr]:[TCP::client_port]: Valid cert per session table entry. Inserting cert details in HTTP headers." 
  
           Insert cert details in the HTTP headers 
          HTTP::header insert SSLClientCertStatus "ok" 
          HTTP::header insert SSLClientCertb64 [lindex $session_data 1] 
          HTTP::header insert SSLClientCertSN [lindex $session_data 2] 
  
           Exit this event in this rule 
          return 
       } 
    } 
     If we're still in this rule, cert wasn't valid 
       so send HTTP 302 redirect to an error page 
    HTTP::respond "http://[HTTP::host]/cert_error.html" 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: No or invalid cert from client." 
 }

Aaron