Forum Discussion
btully80_12521
Oct 22, 2007Historic F5 Account
Problem inserting SSL client certificate subject into a header of an HTTP session
Hello DevCentral Community,
I have run into a problem in a v4.x to v9.x migration where I we are trying to insert an X509 client cert subject as an http header to the backend using the following iRule. After performing some testing we have identified several cases where we are passing requests to the backend servers with a blank subject header value. We suspect that a client is attempting resume SSL connections after the 1200 sec timeout period (hence the SSL::renegotiate command) and causing the session lookup to fail.
We did make some assumptions when writing this iRule that I would confirm with the community.
Assumption 1 - Once we execute the SSL::renegotiate command we will re-execute the logic contained in the CLIENTSSL_CLIENTCERT and HTTP_REQUEST events with the new SSL session ID.
Assumption 2 – Re-adding the SSL subject into the session table will reset the timeout counter.
rule ssl-sub-insert-v4 {
when CLIENTSSL_CLIENTCERT {
set ssl_cert [SSL::cert 0]
set subject [X509::subject $ssl_cert]
session add ssl [SSL::sessionid] $subject 1200
}
when HTTP_REQUEST {
set ssl_subject [session lookup ssl [SSL::sessionid]]
if { $ssl_subject equals "" } {
SSL::renegotiate
} else {
HTTP::header insert SSLClientCertSubject $ssl_subject
session add ssl [SSL::sessionid] $ssl_subject 1200
}
}
Any thoughts or words of wisdom would be greatly appreciated.
Thanks,
Brian
1 Reply
- btully80_12521Historic F5 AccountPlease ignore. This should have been posted to the iRule section.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects