Forum Discussion

Cisco2F5_16233's avatar
Cisco2F5_16233
Icon for Nimbostratus rankNimbostratus
Jan 05, 2012

iRule /SSL Profile Issue

Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jan 05, 2012
With your current iRule, the header will only get inserted on HTTP requests where the client presented the cert. If the client opens a new connection and resumes the existing SSL session, you wouldn't get the cert details inserted.

 

 

You could either change the cert frequency to always or modify the iRule to read the session table entry in HTTP_REQUEST. I've added some functionality to check the client's cert against the trusted CA bundle configured in the client SSL profile. I also added some options for handling when the client's resumed session does not exist in TMM's cache. Here's an untested example:

 

 


when RULE_INIT {
 Log debug messages to /var/log/ltm? 1=yes, 0=no
set static::cert_debug 1
}
when CLIENTSSL_CLIENTCERT {

 Check if the client presented a cert
if { [SSL::cert count] == 0 } {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No cert. Rejecting."}

 Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject

} else {
 Check if client cert validates against TMMs trusted CA cert bundle
 SSL status code defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS
if { [SSL::verify_result] != 0 }{

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Bad cert - [X509::verify_cert_error_string [SSL::verify_result]]"}

 Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject
}
}
}
when HTTP_REQUEST {

 Check if the client SSL session ID and cert exist in the TMM cache
if { [SSL::sessionid] ne "" and [SSL::cert 0] ne ""}{

HTTP::header replace NETWORK_ALIAS [X509::hash [SSL::cert 0]]
if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Inserting cert hash: [X509::hash [SSL::cert 0]]"}

} else {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Invalid client SSL session ID or cert."}

 Send a TCP reset
reject

 Or send an HTTP response?
HTTP::respond 403 content {You must supply a client cert}

 Or renegotiate the handshake to request a client cert?

 Force renegotiation of the SSL connection with a cert requested
 Hold the HTTP request until the SSL re-negotiation is complete
HTTP::collect; Need to call HTTP::release in CLIENTSSL_CLIENTCERT if a cert is presented
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}

 

 

Aaron