For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Al_17441's avatar
Al_17441
Icon for Nimbostratus rankNimbostratus
Dec 28, 2007

Need to Pass Cert_Cookie server variable

Sorry for such the newb question, but i couldn't find and answer anywhere.. i need to pass the Cert_Cookie server variable through my custom irule. I already have the subject, issuer and serial number for the cert being passed. I just can not seem to figure out how to pass the 'CERT_COOKIE' variable.

Thanks in advance.


when CLIENTSSL_HANDSHAKE
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
}
when HTTP_REQUEST
{ 
HTTP::header replace HTTPS on
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != "" }
{
set pkiSubject [X509::subject $the_cert]
set pkiIssuer [X509::issuer $the_cert]
$pkiSubject is the first line on PKIInfo
log "$pkiSubject"
$pkiIssuer is the third line on PKIInfo
log "$pkiIssuer"
HTTP::header insert SSL-Client-Cert [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole $the_cert ] ] ] "" ]
HTTP::header insert CN $pkiSubject
HTTP::header insert SSLIssuer $pkiIssuer
HTTP::header insert SSLClientCertSN [regsub -all {:} [X509::serial_number $the_cert] -]
}
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 28, 2007
    In a quick search, I couldn't find any specific explanation of what the CERT_COOKIE CGI variable is parsed from. This seems to be the stock explanation most sites have:

     

     

     

    http://msdn2.microsoft.com/en-us/library/ms525581.aspx

     

     

    CERT_COOKIE - Unique ID for the client certificate, returned as a string. This can be used as a signature for the whole client certificate.

     

     

     

     

    In a quick test using a page which echoes the CGI variables, I set a cookie and header named cert and certificate. But the CERT_COOKIE CGI variable was never set by the web server.

     

     

    So I would guess that this value is generated by parsing the actual client certificate presented by the client to the web server. Since the BIG-IP to server connection doesn't use a client cert, that CGI variable would always be empty.

     

     

    Do you have the ability to modify the web application so it reads the cert details from the custom header(s) you're inserting, instead of depending on the stock CGI variable?

     

     

     

    Also, it would be more efficient to use string map versus the regsub to replace colons with hyphens:

     

     

    old

     

    HTTP::header insert SSLClientCertSN [regsub -all {:} [X509::serial_number $the_cert] -]

     

     

    new

     

    HTTP::header insert SSLClientCertSN [string map {: -} [X509::serial_number $the_cert]

     

     

    Aaron
  • Al_17441's avatar
    Al_17441
    Icon for Nimbostratus rankNimbostratus
    Dec 28, 2007
    Thanks Aaron,

     

     

    I do have the ability to change what the app is looking for but it's one of those things where i was trying to keep the app as stock as possible after the BIGIP server was intorduced.

     

     

    Also, thanks for the tip on the string mapping.

     

     

    Al
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 28, 2007
    Hi Al,

     

     

    I suppose you could test this further by configuring a web server to accept (but not require) client certs and log the CGI variables. I would guess that when the client presents a cert the CERT_COOKIE variable is set and when the client doesn't present a cert, the CERT_COOKIE variable isn't set.

     

     

    Aaron