For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DethMetal_Jeff's avatar
DethMetal_Jeff
Icon for Altostratus rankAltostratus
Aug 04, 2020
Solved

Pass client cert based on POST data

I'm trying to pass along cleint cert information to my backedn server in an http header based on HTTP POST data sent to the login servlet. I've written the below iRule which, in short does the follo...
BIG-IP
devops
iRules
  • DethMetal_Jeff's avatar
    DethMetal_Jeff
    Aug 04, 2020

    Just to update anyone else who is looking to do the same thing. I inserted an HTTP::collect at line 111 after the SSL::renegotiate and this appears to force the iRule to hold the http data instead of invoking the implict release at the end of HTTP_REQUEST_DATA. So now it hits the CLIENTSSL_CLIENTCERT event and the HTTP::release is called there. Since I'm setting SSL::cert mode require this should always result in either the handshake failing or the HTTP::release being called from CLIENTSSL_CERT.

     

DethMetal_Jeff's avatar
DethMetal_Jeff
Icon for Altostratus rankAltostratus
Aug 04, 2020

That's what I've been doing but apparently that's less than desirable behavior from a client/product perspective. We have scenarios where a user may have a valid certificate installed but isn't required to use it for this particular application. If i set it to request they'll get prompted to select a cert regardless of which app they're trying to use. So, while technically ok as in it works, the end user experience isn't desirable.