Forum Discussion
iRule to redirect user with incorrect certificate to specific url
Hi Spela,
you may take a look to the iRule below.
The provided irule uses a slightly different approach to trigger the initial SSL session (aka. we ignore client certificates), SSL session renegotiation (aka. we request client certificates) and Client SSL Certificate verification (aka. we verify the client certificate instead of just counting the existence of (possible invalid?) client certificates).
If the client is able to renegotiate the SSL session by using a valid client certificate it will be allowed to pass. And if the client is unable to renegotiate the SSL session by using a valid client certificate it receive the HTTP redirect to the error page and will also be able to view the error page...
when CLIENT_ACCEPTED {
set ssl_auth ""
}
when CLIENTSSL_HANDSHAKE {
if { $ssl_auth ne "" } then {
if { [SSL::verify_result] == 0 } then {
set ssl_auth "success"
} else {
log local0.debug "SSL Verify Result: [X509::verify_cert_error_string [SSL::verify_result]]"
set ssl_auth "failed"
}
HTTP::release
}
}
when HTTP_REQUEST {
if { [HTTP::uri] eq "/index.php?id=14" } then {
HTTP::respond 200 content "access denied" "Content-Type" "text/html"
pool XYZ-POOL
} elseif { $ssl_auth eq "" } then {
set ssl_auth "request"
HTTP::collect
SSL::cert mode request
SSL::renegotiate
}
}
when HTTP_REQUEST_SEND {
clientside {
if { $ssl_auth eq "success" } then {
Allow the request to pass...
} else {
HTTP::redirect "/index.php?id=14"
}
}
}
To make this iRule work, you need to tweak your Client SSL Profile a little bit. Basically you have to configure the Client SSL Section so that the Profile will authenticate your clients by using your internal PKI infrastructure but with the only exception that you IGNORE the client certificates by default.
ltm profile client-ssl www.domain.de {
allow-expired-crl enabled
app-service none
authenticate always
authenticate-depth 9
ca-file MY-CA-Chain.crt
cert default.crt
cert-key-chain {
default {
cert default.crt
key default.key
}
}
chain none
client-cert-ca MY-CA-Chain.crt
crl-file none
defaults-from clientssl
inherit-certkeychain true
key default.key
passphrase none
peer-cert-mode ignore
renegotiation enabled
retain-certificate true
}
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com