Problem inserting SSL client certificate subject into a header of an HTTP session

Hello DevCentral Community,

 

 

I have run into a problem in a v4.x to v9.x migration where I we are trying to insert an X509 client cert subject as an http header to the backend using the following iRule. After performing some testing we have identified several cases where we are passing requests to the backend servers with a blank subject header value. We suspect that a client is attempting resume SSL connections after the 1200 sec timeout period (hence the SSL::renegotiate command) and causing the session lookup to fail.

 

 

We did make some assumptions when writing this iRule that I would confirm with the community.

 

 

Assumption 1 - Once we execute the SSL::renegotiate command we will re-execute the logic contained in the CLIENTSSL_CLIENTCERT and HTTP_REQUEST events with the new SSL session ID.

 

 

Assumption 2 – Re-adding the SSL subject into the session table will reset the timeout counter.

 

 

rule ssl-sub-insert-v4 {

 

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_cert [SSL::cert 0]

 

set subject [X509::subject $ssl_cert]

 

session add ssl [SSL::sessionid] $subject 1200

 

}

 

 

when HTTP_REQUEST {

 

set ssl_subject [session lookup ssl [SSL::sessionid]]

 

if { $ssl_subject equals "" } {

 

SSL::renegotiate

 

} else {

 

HTTP::header insert SSLClientCertSubject $ssl_subject

 

session add ssl [SSL::sessionid] $ssl_subject 1200

 

}

 

}

 

 

Any thoughts or words of wisdom would be greatly appreciated.

 

 

Thanks,

 

Brian