Forum Discussion
NimbostratusInserting info from client SSL certificate
I am trying to replicate the functionality of the 4.5 SSL proxy,
where I could request insertion of various information from the client SSL certificate into HTTP headers, including the complete certificate.
I am new to iRules and so far I was not succesfull with my attempts
(read the manual, tried, failed, repeat). My software is version 9.0.2.
Thank you in advance any hints or pointers,
Milon Papezik
--
mmp@actinet.cz
- You can query the following information from the SSL Certificate:
Querying SSL headers of HTTP RequestsiRule Command Description
SSL::mode In a client-side context, returns one of require, request, ignore, or auto. In a server-side context, returns one of require or ignore.
SSL::cert Returns the index of the X509 SSL certificate in the peer certificate chain, where index is a value greater than or equal to zero. A value of zero denotes the first certificate in the chain, a value of one is the next, and so on. This command is currently applicable only under a client-side context and returns an error within a server-side context.
SSL::cert issuer Returns the issuer certificate of the index of the X509 SSL certificate in the peer certificate chain, where index is a value greater than or equal to zero. A value of zero denotes the first certificate in the chain, a value of one is the next, and so on. This command is currently applicable only under a client-side context and returns an error within a server-side context.
SSL::cert count Returns the total number of certificates that the peer has offered.
SSL::verify_result Returns the result code from peer certificate verification using the same values as the OpenSSL SSL_get_verify_result() function.
SSL::cipher name Returns the current SSL cipher version using the format of the OpenSSL SSL_CIPHER_get_version() function.
SSL::cipher version Returns the current SSL cipher version using the format of the OpenSSL SSL_CIPHER_get_version() function.
SSL::cipher bits Returns the number of secret bits that the current SSL cipher used, using the format of the OpenSSL SSL_CIPHER_get_bits() function
SSL::SSL::current_sessionid Returns the SSL session ID currently negotiated, or a value of -1, if no session ID exists.
SSL::modssl_sessionid_headers [+] Returns a list of fields that the system is to add to the HTTP headers in order to emulate modssl behavior. The return type is a Tcl list that the system then interprets as a header name/header value pair. The options that you can specify with this command are initial and current.
* From: http://devcentral.f5.com/Default.aspx?TabID=29&newsType=ArticleView&articleId=32
And you can use the HTTP::header insert iRule command to insert the data into an HTTP header.
Manipulating HTTP Headers and ContentiRule Command Description
HTTP::header insert ["lws"] Inserts the named HTTP header and its value into the end of the HTTP request or response. If you specify "lws", the system adds linear white space to long header values.
HTTP::header insert ["lws"] {n1, v1, n2, v2, n3, v3, ...} Passes a Tcl list to insert into a header. In such cases, the system treats the list as a list of name/value pairs. If you specify "lws", the system adds linear white space to long header values.
*from http://devcentral.f5.com/Default.aspx?TabID=29&newsType=ArticleView&articleId=30
Check out how to do this in the Client Certificate Status Header Insert example on CodeShare.
-Joe
