For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tarmo_Oja_95406's avatar
Tarmo_Oja_95406
Icon for Nimbostratus rankNimbostratus
Mar 29, 2005

session {add|delete} ssl question

I found this code from Code Share.

 

 

 
 rule c_cert_session { 
 when RULE_INIT { 
   set ::key [AES::key 128] 
   log local0. "the key is:  $::key" 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
  session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180 
 } 
  
 when HTTP_REQUEST { 
   set id [SSL::sessionid] 
   set y [session lookup ssl $id] 
   if { $y ne "" } { 
     set z [b64encode [AES::encrypt $::key $y]] 
     log local0.  "z is:  $z" 
     session delete ssl $id 
   } elseif { [HTTP::cookie exists ClientZ]} { 
     HTTP::header insert ClientCert  [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]] 
     log local0.  "Inserting HTTP header ClientCert:   [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]]" 
   } else { 
     set z [b64encode [AES::encrypt $::key none]] 
     log local0.  "no session, no cookie.  z is:  $z" 
   } 
 } 
  
 when HTTP_RESPONSE { 
   if { [info exists z ]} { 
     log local0.  "in http response Z is: $z" 
     HTTP::header insert "Set-Cookie ClientZ=$z" 
   } 
  } 
 }

 

 

Questions:

 

a) why is session deleted in HTTP_REQUEST?

 

b) what is whole syntax for session {...} ssl command?

 

c) how to make sure that client has smart card still in reader during whole session?

 

 

application delivery
dev
devops
iRules

2 Replies

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Mar 29, 2005
    Answer:

     

    a) The rule was constructed to search the session table first and only if an entry wasn't found, look for the cookie. Because of this, the session entry needs to be deleted when switching to the cookie. This could easily be reworked to check for the cookie first, though you might risk getting an outdated cookie.

     

     

    b)

     

    session add ssl []

     

    session lookup ssl

     

    session delete ssl

     

     

    c) I have no idea. Maybe someone who is more familiar with how a client browser works with the smart cards can shed some light on this question.

     

  • bl0ndie_127134's avatar
    bl0ndie_127134
    Historic F5 Account
    Mar 29, 2005
    Have you considered forcing a SSL re-negotiation after a certain time out has been reached? Here is an example ... 

    when CLIENT_ACCEPTED {  
     set http_collect 0  
  }  
    
  when HTTP_REQUEST {  
     if {[HTTP::request_num] > 10} {  
        SSL::renegotiate  
        HTTP::collect  
        set http_collect 1  
     }  
  }  
    
  when CLIENTSSL_HANDSHAKE {  
    if {$http_collect == 1} {  
       set http_collect 0  
       HTTP::release  
    }  
  }

    You will at least be able to verify that the client still has the card.