Forum Discussion
Scot_86001
Nimbostratus
Feb 21, 2010iRule Optimization w/ Certificates?
The iRule below functions and performs as it should. I have been told that what I have below may not be efficient or optimized. I am looking to see if anyone can make some suggestions on how to better optimize. I would also like to know if session persistence and timeout are being maintained as they should. This iRule performs client side cert authentication only when a certain URI is sent. Upon successfull login, header information from the cert is passed to the receiving application. The code below was pieced together from other iRules on DevCentral.
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
set v1 [URI::query [HTTP::uri] "p"]
if { ($v1 contains "ESAT") || ($v1 contains "311") } then {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-SSL-Session-ID"[SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status"[X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "SSL_CLIENT_S_DN"[X509::subject [SSL::cert 0]]
HTTP::header insert "SSL_CLIENT_I_DN"[X509::issuer [SSL::cert 0]]
}
}
}
- hoolio
Cirrostratus
Hi Scot, - Scot_86001
Nimbostratus
Aaron, - hoolio
Cirrostratus
If you're going to do OCSP checking of the client cert, I'll add a rule I've been working on which does this to the iRule Codeshare. I'll try to do this by Friday. You'll need to upgrade to 9.4.8HF3 in order to use it. - hoolio
Cirrostratus
I've done a quick job of anonymizing the iRule and added it to the Codeshare. I didn't do any testing of the iRule or sample config after removing the customer-specific options. If you're able to upgrade to v9.4.8 and install hotfix 3, can you test this and let me know if you have any problems. Please do make sure to do thorough testing before using in a production environment. - Scot_86001
Nimbostratus
Aaron, - hoolio
Cirrostratus
The issue with that approach is that you cannot send an HTTP response from the HTTP_REQUEST_SEND event. When I ran into that issue, F5 development created a hotfix to allow sending an HTTP response from the CLIENTSSL_HANDSHAKE event: - Scot_86001
Nimbostratus
Aaron, Due to a slew of issues/conflicts with my iRULE and the default ocsp iRULE provided by F5, I have started working w/ the iRULE you provided. In my case, I have multiple responders. Is there a way for me to check the status of each responders results? - hoolio
Cirrostratus
Hi Scot, - Scot_86001
Nimbostratus
Aaron, - hoolio
Cirrostratus
500 is not a bad start! Can you explain why you're trying to check the client cert against a DOD and Verisign OCSP server? Are there two different sets of CA's issuing the client certs?
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects