Forum Discussion
James_Thomson
Employee
EmployeeInserting client certificate information into HTTP headers
To accomplish this, from reading the manual, it looks like I want to be using this:
SSL::modssl_sessionid_headers
and then
HTTP::header insert_modssl_fields
...
James_ThomsonEmployee
EmployeeI used this and it worked great. This grabs the whole certificate, b64 encodes it and then passes it back to the server in an HTTP header. This is a little confusing because IE for some reason opens up two connections during an ssl handshake. This rule basically takes the certificate from the first connection and carries it over to the second connection by inserting it into a cookie:
rule insertcerthdr_long {
when RULE_INIT {
set ::key [AES::key 128]
log local0. "the key is: $::key"
}
when CLIENTSSL_CLIENTCERT {
session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180
session add ssl [SSL::sessionid] [SSL::cert 0] 180
}
when HTTP_REQUEST {
if {! [HTTP::cookie exists ClientZ]} {
set id [SSL::sessionid]
set cert [session lookup ssl $id]
if { $cert ne "" } {
log "cert is: $cert"
session delete ssl $id
} else {
log "no cert, no connection!"
reject
return
}
set z [b64encode [AES::encrypt $::key $cert]]
} else {
set cert [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]]
}
HTTP::header insert ClientCert [b64encode $cert]
log "Inserting HTTP header ClientCert: $cert"
}
when HTTP_RESPONSE {
if { [info exists z ]} {
log "in http response Z is: $z"
HTTP::header insert "Set-Cookie ClientZ=$z"
}
}
}
