Forum Discussion
James_Thomson
Employee
EmployeeInserting client certificate information into HTTP headers
To accomplish this, from reading the manual, it looks like I want to be using this:
SSL::modssl_sessionid_headers
and then
HTTP::header insert_modssl_fields
...
I have a client using this same iRule. With production traffic, the session table rarely shows more that 1-2 records. Observing the session table during test traffic with two clients we can see the same record getting updated (as evidenced by the idle timer updating) by browser activity from either client, and therefore the server is often seeing the cert for the wrong client in the header. Logging of the sessionid shows they are nearly always the same value. The ID logged doesn’t match the ID in the session table either. I think there is a problem with the [SSL::sessionid] command returning bogus (always the same) values. I also think there is a problem with the output of either the logged sessionid value or the session table output.
We are dumping the session table with:
“b persist mode ssl show all”
TROUBLESHOOTING STEPS TAKEN
Using a very simple version of an iRule from DevCentral and SOL 5171, we have encountered the same issue in the test environment. Here is the Wiki documentation of the methodology they are using:
http://devcentral.f5.com/wiki/default.aspx/iRules/session.html
Here is a copy of the test iRule we implemented, posted here: http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=3469 .
when CLIENTSSL_HANDSHAKE
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]}
}
when HTTP_REQUEST
{
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != ""}
{
HTTP::header replace SSLClientCert [b64encode $the_cert]
}
}
They have opened a support case, but was wondering why others aren't seeing similar issues.
TIA,
Wes
