Forum Discussion
yeser
Nimbostratus
NimbostratusiRule to ask for client cert
Hi, i developed an iRule to ask for a certificate and insert it in a http header. All work properly but BIG IP asks for client certificate all time, on each click and each part of the same page. Default behaviour is authenticate ONCE (not always), but i specified it in the iRule. Any idea of the problem? help!
The iRule is:
when HTTP_REQUEST {
if { (not [info exists EncCert]) and ([HTTP::uri] starts_with "/XXXXXX") } {
HTTP::collect
SSL::authenticate once
SSL::authenticate depth 3
SSL::cert mode request
SSL::renegotiate
}
}
when CLIENTSSL_HANDSHAKE {
HTTP::release
}
when HTTP_REQUEST_SEND {
clientside {
if { ([SSL::cert count] > 0) and (not [info exists InsCert])} {
HTTP::header insert "auth-cert" [X509::whole SSL::cert 0]]
set InsCert "OK"
}
}
}
when CLIENTSSL_CLIENTCERT {
set EncCert "OK"
}
1 Reply
Nicolas_MenantEmployee
Hi,
the thing is variable will exist only or this connection (except if you were using global variables which is not the case here). Your variable enccert exist only for this connection. Since your browser will open many connection you'll need to authenticate for each. If your client use HTTP1.0 it will be authentication for each object
HTTP::collect is useless here. It may be used if you need to look at the payload manually, through the HTTP::command you don't need such manipulation
I can't test this one right one but it should work properly.
when HTTP_REQUEST {
if { ([SSL::cert count] == 0) and ([HTTP::uri] starts_with "/XXXXXX") } {
SSL::authenticate once
SSL::authenticate depth 3
SSL::cert mode request
SSL::renegotiate
}
else {
HTTP::header insert "auth-cert" [X509::whole SSL::cert 0]]
}
}
when CLIENTSSL_HANDSHAKE {
HTTP::release
}
Try to make a search on this forum for keyword like SSL::authenticate you will have some working example.
HTH
N.
