For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Lebel_53961's avatar
Tom_Lebel_53961
Icon for Nimbostratus rankNimbostratus
Jan 24, 2006

Passing SSL Client Cert data - more info needed

We need to know:

1. Is this the best way to get client cert data to the web server? (We used to use it from the cgi collection, is there a way to get it into that collection again?)

2. What kind of load is it going to be on the BigIP with a few thousand users?

3. Why is it, this script only works if we remove the line that stuffs the serial_number into the http header?

4. The "session add ssl" line, it seems the number at the end is a timeout value for the session. What value should this be set at? It seems if this value is set to anything at or less than the "Cache timeout" value in the BigIP, we loose the client cert data at the server until the "Cache timeout" passes.

Thanks for any help.


when CLIENTSSL_CLIENTCERT {
  set ssl_cert [SSL::cert 0]
  set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
  set ssl_stuff [list $ssl_cert $ssl_errstr]
  session add ssl [SSL::sessionid] $ssl_stuff 61
}
when HTTP_REQUEST {
  set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
  set ssl_cert2 [lindex $ssl_stuff2 0]
  set ssl_errstr2 [lindex $ssl_stuff2 1]
  if { $ssl_errstr2 eq "ok" } {
    HTTP::header insert SSLClientCertStatus $ssl_errstr2
    HTTP::header insert SSLClientCertSerialNumber [X509::serial_number $ssl_cert2]
    HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2]
    HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2]
    HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
    HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2]
  } else {
    HTTP::header insert SSLClientCertStatus $ssl_errstr2
  }
}

application delivery
dev
devops
iRules