session {add|delete} ssl question

Question

I found this code from Code Share. 
&nbsp;  
&nbsp;  
 rule c_cert_session { 
 when RULE_INIT { 
   set ::key [AES::key 128] 
   log local0. "the key is:  $::key" 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
  session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180 
 } 
  
 when HTTP_REQUEST { 
   set id [SSL::sessionid] 
   set y [session lookup ssl $id] 
   if { $y ne "" } { 
     set z [b64encode [AES::encrypt $::key $y]] 
     log local0.  "z is:  $z" 
     session delete ssl $id 
   } elseif { [HTTP::cookie exists ClientZ]} { 
     HTTP::header insert ClientCert  [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]] 
     log local0.  "Inserting HTTP header ClientCert:   [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]]" 
   } else { 
     set z [b64encode [AES::encrypt $::key none]] 
     log local0.  "no session, no cookie.  z is:  $z" 
   } 
 } 
  
 when HTTP_RESPONSE { 
   if { [info exists z ]} { 
     log local0.  "in http response Z is: $z" 
     HTTP::header insert "Set-Cookie ClientZ=$z" 
   } 
  } 
 } 
  
&nbsp;  
&nbsp; Questions: 
&nbsp; a) why is session deleted in HTTP_REQUEST? 
&nbsp; b) what is whole syntax for session {...} ssl command? 
&nbsp; c) how to make sure that client has smart card still in reader during whole session? 
&nbsp;  
&nbsp;

unruley_95363 · Answer

Answer: 
&nbsp; a) The rule was constructed to search the session table first and only if an entry wasn't found, look for the cookie.  Because of this, the session entry needs to be deleted when switching to the cookie.  This could easily be reworked to check for the cookie first, though you might risk getting an outdated cookie. 
&nbsp;  
&nbsp; b) 
&nbsp; session add ssl   []  
&nbsp; session lookup ssl  
&nbsp; session delete ssl  
&nbsp;  
&nbsp; c) I have no idea.  Maybe someone who is more familiar with how a client browser works with the smart cards can shed some light on this question. &nbsp;

bl0ndie_127134 · Answer

Have you considered forcing a SSL re-negotiation after a certain time out has been reached? Here is an example ...  
    
  when CLIENT_ACCEPTED {  
     set http_collect 0  
  }  
    
  when HTTP_REQUEST {  
     if {[HTTP::request_num] &gt; 10} {  
        SSL::renegotiate  
        HTTP::collect  
        set http_collect 1  
     }  
  }  
    
  when CLIENTSSL_HANDSHAKE {  
    if {$http_collect == 1} {  
       set http_collect 0  
       HTTP::release  
    }  
  }

You will at least be able to verify that the client still has the card.

Forum Discussion

session {add|delete} ssl question

Recent Discussions

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

Related Content

TMSH CLI script that adds/deletes a single VLAN to a VCMP Guest

Agility sessions announced

5 Technical Sessions That Should Be Great: F5 AppWorld 2025

Health monitor question

Site Launch Frequently Asked Questions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS