Forum Discussion

matm_58717's avatar
matm_58717
Icon for Nimbostratus rankNimbostratus
Dec 05, 2017

iRule Client Cert fail

We have a problem with this iRule. We need insert the client cert in HTTP request, if the content to request is minor to 10 Mb (more o less) work ok, but when this request is greater fail. Have you any idea?

when RULE_INIT {
    set ::loglevel 0
    set ::requestcert 1
}
when CLIENTSSL_CLIENTCERT {
  set cert [SSL::cert 0]
  set sid [SSL::sessionid]
  if { $sid ne "" } {
    if { $::loglevel > 10 } { log local0. "Sesion SSL Cacheada" }
    set key [concat [IP::remote_addr]@$sid]
    session add ssl $key $cert 180
    HTTP::release
  }
}
when HTTP_REQUEST {
  set cert [SSL::cert 0]
  set requestedUri [HTTP::uri]
  if { ([HTTP::uri] starts_with "/home") } {
    if { $::loglevel > 10 } { log local0. "Se Requiere Certificado de cliente. Solicitada URI segura: $requestedUri" }
    set ::requestcert 1
    } 
    else {
    if { $::loglevel > 10 } { log local0. "No se requiere Certificado de cliente. Solicitada URI insegura: $requestedUri" }
    set ::requestcert 0
    }
if { $::requestcert == 1} {  se requiere certificado de cliente
       if { [info exists cert] and $cert ne "" } {
            if { $::loglevel > 10 } { log local0. "Se encontro certificado de cliente" }
            set sn [X509::serial_number $cert]
      } else {
            set sid [SSL::sessionid]
            if { $::loglevel > 10 } { log local0. "No hay certificado de cliente" }
            if { $sid ne "" } {
                    if { $::loglevel > 10 } { log local0. "Sesion en cache, recuperamos certificado de la tabla de sesion" }
                  set key [concat [IP::remote_addr]@$sid]
                  set cert [session lookup ssl $key]
                  if { $cert ne "" } {      
                      set sn [X509::serial_number $cert]
                  } else {
                        if { $::loglevel > 10 } { log local0. "***** NO SE ENCONTRO EL CERTIFICADO DE CLIENTE, Solicitando Certificado de cliente *****"}
                        HTTP::collect
                        SSL::cert mode request
                        SSL::renegotiate
                  }
            } else {
                    if { $::loglevel > 10 } { log local0. "Solicitando Certificado de Cliente.."}
                    HTTP::collect                   
                    SSL::cert mode request
                    SSL::renegotiate
            }
          }
}
}
when HTTP_REQUEST_SEND {
if  { $::loglevel > 10} { log local0. "HTTP_REQUEST_SEND: " }
    if { [info exists cert] and $cert ne "" } {
        if  { $::loglevel > 5} { log local0. "Insertando Cabecera HTTP [X509::whole $cert]" }
        clientside { HTTP::header replace ClientCert [b64encode [X509::whole $cert]] }
    }
}
application delivery
iRules
LTM
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Dec 07, 2017

    Hi,

     

    you are working with global variables which is deprecated.

     

    replace all ::requestcert by requestcert in all irule

     

    replace all $::log level by $static::loglevel