OCSP custom authenication error page iRule

I was looking for a simple iRule example that would give a custom failure page if an OCSP Auth profile failed. I didnt want to change the default _sys_auth_ssl_ocsp irule very much because management frowns upon excessive amounts of customization.

 

 

 

 

So I created an with the _sys_auth_ssl_ocsp irule as a starting point. The block page will display cert SN, cert subject, cert issuer, date/time and the clients IP. The client IP was kind of tricky because it would display the IP with the route domain so I made it chop it off the end. In addition to the custom failure page I have added logging.

 

 

 

 

This is the logging page message -

 

 

---------------------------------------------------

 

Authenication Failure

 

Client Certificate Information -

 

Certificate SN - "01:02:03"

 

Certiticate Subject - "Test"

 

Certificate Issuer - "AnyCA"

 

 

Client IP - "10.11.12.13"

 

Current Date/Time - "08/29/2012 10:45"

 

 

---------------------------------------------------

 

 

 

 

 

iRule code -

 

[code] when CLIENT_ACCEPTED { set tmm_auth_ssl_ocsp_sid 0 set tmm_auth_ssl_ocsp_done 0 set ocsp_auth_failure 0 set time_current [clock format [clock seconds] -format {%m/%d/%Y %H:%M}] set cipraw [IP::client_addr] If route domain from exists in IP::client_addr remove it from var $cip switch -glob [IP::client_addr] { ?*%* { set cip [string range [IP::client_addr] 0 end-2 ] } default { set cip [IP::client_addr] } } } when CLIENTSSL_CLIENTCERT { set tmm_auth_ssl_ocsp_done 0 Get SSL client cert set cert [SSL::cert 0] Get cert SN set sn [X509::serial_number $cert] Get Cert subject and parse out CN set cn [string range [lindex [split [X509::subject $cert] ,] 0] 3 end ] Get Cert issuer and parse out CN set issuer [string range [lindex [split [X509::issuer $cert] ,] 0] 3 end ] if {$tmm_auth_ssl_ocsp_sid == 0} { set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp] if {[info exists tmm_auth_subscription]} { AUTH::subscribe $tmm_auth_ssl_ocsp_sid } } AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0] AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0] AUTH::authenticate $tmm_auth_ssl_ocsp_sid SSL::handshake hold } when AUTH_RESULT { if {[info exists tmm_auth_ssl_ocsp_sid] and \ ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} { set tmm_auth_status [AUTH::status] if {$tmm_auth_status == 0} { Log Client auth succuess log local0.notice "Authorization successful - Client IP-\"$cipraw\", Cert CN-\"$cn\" , Cert SN-\"$sn\"" set tmm_auth_ssl_ocsp_done 1 SSL::handshake resume } elseif {$tmm_auth_status == 1} { If client auth fails log event and set var to handle session in HTTP_REQUEST log local0.crit "Authorization failed - Client IP-\"$cipraw\", Cert CN-\"$cn\" , Cert SN-\"$sn\"" set tmm_auth_ssl_ocsp_done 1 set ocsp_auth_failure 1 SSL::handshake resume } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} { reject } } } when CLIENTSSL_HANDSHAKE { set tmm_auth_ssl_ocsp_done 1 } when HTTP_REQUEST { If authenication fails display error message and kill connection if {$ocsp_auth_failure == 1} { set response " Authentication Failure Authentication Failure Client Certificate Information -

 

Certificate SN - \"$sn\"

 

Certificate CN - \"$cn\"

 

Certificate Issuer - \"$issuer\"

 

 

Client IP - \"$cip\"

 

Current Date/Time - \"$time_current\"

 

" HTTP::respond 200 content $response Connection Close Cache-Control No-Cache Pragma No-Cache reject TCP::close } else { Insert cert info into header for client auth success HTTP::header insert CertSN $sn HTTP::header insert CertCN $cn } } [/code]

 

Does anyone have any advice on something I did wrong or a way it can work better ?