Forum Discussion
Request client cert auth based on URL
- Apr 20, 2022
Try replacing [SSL::cert 0] with [X509::whole [SSL::cert 0]]
So this seems to work however it is only inserted when refreshing the webpage so it needs two consecutive HTTP request, in this use case could work because there are in fact 2 consecutive request first GET then POST with exact same URL, but find it very strange that the HTTP_REQUEST insert header event cannot grab the initial CLIENTSSL_CLIENTCERT. Perhaps this is caused due to the following order:
The matching URL is matched then client cert authentication is negotiated to the client. Then the Certificate is received and stored and is only available for next HTTP request, does that makse sense? Perhaps moving the header insertion to HTTP_REQUEST_RELEASE would fix this....
when RULE_INIT {
set static::cert 0
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0}{
log local0. "start CLIENTSSL_CLIENTCERT"
set static::cert [X509::whole [SSL::cert 0]]
log local0. "end CLIENTSSL_CLIENTCERT with cert value $static::cert" }
}
when HTTP_REQUEST {
if {[class match [string tolower [HTTP::uri]] contains DG_ACC_NO_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{
log local0. "certificate not inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr] "
return
}
elseif { [class match [string tolower [HTTP::uri]] contains DG_ACC_CERT_AUTH] && [HTTP::path] == "/nidp/idff/sso"}{
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate enable
SSL::renegotiate
HTTP::header insert SSL_CLIENT_CERT [b64encode $static::cert]
log local0. "certificate inserted and header SSL_CLIENT_CERT value is: [HTTP::header value SSL_CLIENT_CERT] for host [HTTP::host] and URI: [HTTP::uri] and clientip: [IP::client_addr]"
}
}
- spalandeApr 26, 2022Nacreous
Try HTTP_REQUEST_SEND event and also make sure clientssl profile has ssl negotiation enabled
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com