Forum Discussion
Tom_Lebel_53961
Nimbostratus
NimbostratusPassing SSL Client Cert data - more info needed
We need to know:
1. Is this the best way to get client cert data to the web server? (We used to use it from the cgi collection, is there a way to get it into that collection again?)
2. What kind...
Tom_Lebel_53961Nimbostratus
NimbostratusHi,, I'm baaaack.
Well, we had other problems to correct, and now I'm back to try and resolve this client SSL cert issue. At this point, I can get everything to work fine until I request the client cert and run it through the rule.
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $ssl_cert $ssl_errstr]
session add ssl [SSL::sessionid] $ssl_stuff 61
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
if { $ssl_errstr2 eq "ok" } {
HTTP::header insert SSLClientCertStatus $ssl_errstr2
HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2]
HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2]
HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2]
} else {
HTTP::header insert SSLClientCertStatus $ssl_errstr2
}
}It chokes. and by that I mean the BigIP pair actually stop responding to all requests, and the Active unit goes to Standby and the Standby unit goes to Active. Once I close all browsers trying to use the client cert, normal traffic flow resumes.
Where do I start troubleshooting this one?
For info, using BIG-IP 9.1.1 Build 54.6.
Tom
