Forum Discussion
rraver_79489
Nimbostratus
NimbostratusiRule doesn't work with 2k3 server
We have the below iRule that seems to work with all clients except for 2k3 server, we've tried it on a default install using internet explorer 7 and it pauses when we hit login. This iRule works with Windows XP, Vista, and 2k3 server using firefox. Anyone know or have any ideas why this wouldn't work?
when HTTP_REQUEST {
log "Handling HTTP_REQUEST"
Always loop to remove possible multiple occurrences of header
while { [HTTP::header exists X.509] } {
HTTP::header remove X.509
}
Conditionally request a client cert
if {([HTTP::uri] starts_with "/acct/login.action" || [HTTP::uri]
starts_with "/acct/registration") && [SSL::cert count] == 0} {
log "Authentication desired."
log "Requesting authentication."
Hold the HTTP request
HTTP::collect
log "HTTP::collect enabled."
SSL::cert mode request
log "SSL::cert mode set."
Renegotiate SSL
SSL::renegotiate
log "SSL::renegotiate requested."
}
log "Handler completed."
}
when CLIENTSSL_CLIENTCERT {
log "Handling CLIENTSSL_CLIENTCERT"
HTTP::release
log "Handler completed."
}
when HTTP_REQUEST_SEND {
log "Handling HTTP_REQUEST_SEND"
clientside {
if {[SSL::cert count] > 0} {
log "Certificate presented."
If the client provided a cert, pass it along
set val [b64encode [SSL::cert 0]]
Also include other certs in the chain it provided
for { set i 1 } { $i < [SSL::cert count] } { incr i } {
append val "; " [b64encode [SSL::cert $i]]
}
Stuff it all in the header, with folding because it's long
HTTP::header insert "lws" X.509 $val
}
}
log "Handler completed."
}
hoolioCirrostratus
Can you compare the log output from a successful request from Win2k3 on Firefox with that from a failure from Win2k3 on IE7? Can you post anonymized logs?
If you hardcode the client SSL profile to request a client cert and remove the iRule does the IE7 Win2k3 client succeed?
Aaron
rraver_79489I have done an SSL dump between a working Vista I.E. 7 and a not working 2003 I.E 7, the difference is that when it does a re-negotiation the server 2003 does a resume and the Vista doesn't. I have attached the SSL dump which should tell you the most short of a decrypted libcap. The application is to get the certificate off of the CAC card and provide it to the application, I was told this is only possible via iRule so our developers produced the above iRule. I will look into the SSL profile. Any help would be appreciated.- hoolioDid you ever figure this out? I'm seeing something similar with an IE6 client that resumes an existing SSL session.
For reference, you can get more verbose details from ssldump using the following flags:
ssldump -AedHr /var/tmp/encrypted.tcp.dmp -Nk /config/ssl/ssl.key/my_ssl.key > ssl.dmp.txt
Thanks,
Aaron