Forum Discussion

JessB_42846's avatar
JessB_42846
Icon for Nimbostratus rankNimbostratus
Aug 11, 2011

Request client cert based on URI access

Hi! I've been dredging devcentral and built 4 or 5 iterations of an iRule with mixed success. I made a good break through but then the scope creeped and I'm back at step 1. I am attempting to...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Sep 10, 2011
i did simple test. hope it is helpful. 

[root@Edelweiss:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.17:https
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@Edelweiss:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "ca-bundle.crt"
   renegotiate enable
}
[root@Edelweiss:Active] config  b rule myrule list
rule myrule {
   when CLIENTSSL_HANDSHAKE {
  if { [SSL::cert count] > 0 } {
    HTTP::release
  }
}

when HTTP_REQUEST {
        if {[string tolower [HTTP::uri]] starts_with "/uri/clientcert/" } {
                if {[SSL::cert count] == 0} {
                        HTTP::collect
                        SSL::session invalidate
                        SSL::authenticate always
                        SSL::authenticate depth 9
                        SSL::cert mode require
                        SSL::renegotiate
                }
        }
}
}

when accessing https://172.28.17.17/ 

4 10 1315633001.1229 (0.0159)  C>SV3.1(410)  application_data
    ---------------------------------------------------------------
    GET / HTTP/1.1
    Host: 172.28.17.17
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive

    ---------------------------------------------------------------
4 11 1315633001.1266 (0.0036)  S>CV3.1(500)  application_data
    ---------------------------------------------------------------

when accessing https://172.28.17.17/uri/clientcert/ 

4 10 1315632762.4093 (0.0099)  C>SV3.1(425)  application_data
    ---------------------------------------------------------------
    GET /uri/clientcert/ HTTP/1.1
    Host: 172.28.17.17
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 AskTbPTV/3.12.5.17640 Firefox/3.6.22
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive

    ---------------------------------------------------------------

4 11 1315632762.4096 (0.0003)  S>CV3.1(24)  Handshake
      HelloRequest
4 12 1315632762.4102 (0.0005)  C>SV3.1(174)  Handshake
      ClientHello
4 13 1315632762.4109 (0.0007)  S>CV3.1(94)  Handshake
      ServerHello
4 14 1315632762.4109 (0.0000)  S>CV3.1(712)  Handshake
      Certificate
4 15 1315632762.4109 (0.0000)  S>CV3.1(28)  Handshake
      CertificateRequest
4 16 1315632762.4109 (0.0000)  S>CV3.1(24)  Handshake
      ServerHelloDone