Forum Discussion
Goran_Blomquis1
Nimbostratus
NimbostratusSet ssl to require and pass cert when uri /manual
Hi devcentral
I try to write a I-rule that change ignore to require in SSLclient profile. I think Iḿ on the right track, but backend seems to be very slow and ask for cert all the time. I see in log that cert info are passed to backend when /manual is in URI.
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 }{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]
HTTP::release
}
}
}
when HTTP_REQUEST {
set requestcertificatepage_uri [string tolower [HTTP::uri]]
log local5. "vilken uri [HTTP::uri]"
if {$requestcertificatepage_uri contains "/manual"} {
if {[SSL::cert count] == 0} {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
if { $the_cert != ""} {
HTTP::header replace X-Client-Cert [b64encode $the_cert]
log local5. "putt clientcert in header [b64encode $the_cert]"
}
}
}
}
Have a greate day
- linjing
Employee
what is result? 
Goran_Blomquis1Hi,
The result was that certificate info never reached the backend server (if I rember it right). Problem are solved and I use an I-rule looking something like this.
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/manual" } {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [HTTP::uri] starts_with "/manual" } {
if { [SSL::cert count] > 0 } {
HTTP::header replace X-Client-Cert [b64encode [SSL::cert 0]]
}
}
}
}
hoolioCirrostratus
That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.
This codeshare example shows how to validate the client cert and store valid cert details in the session table:
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate:Force renegotiation of the SSL connection with a cert requested SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate
And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.
Aaron- Goran_Blomquis1Thank you Aaron, I appreciate your input. I need to check how the final I-rule look. I get back! :-)
- linjing
Posted By hoolio on 10/15/2009 4:33 AM
That example wouldn't work well for clients who try to resume an existing SSL session. You would want to store the SSL session ID in the session table and then check on new requests if the current SSL session ID has a corresponding entry in the session table before checking if there is a cert.
This codeshare example shows how to validate the client cert and store valid cert details in the session table:
http://devcentral.f5.com/wiki/default.aspx/iRules/InsertCertInServerHeaders.html
Also, to force some IE browser versions to pick a new SSL session ID when renegotiating the SSL handshake you should use SSL::session invalidate before calling SSL::renegotiate:Force renegotiation of the SSL connection with a cert requested SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate
And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present.
Aaron
"And if you want to gracefully handle clients who don't provide a cert you would want to set SS::cert mode to request and then send some kind of response if the cert isn't present. "
but in http_rquest_send event,we unable to set such as HTTP::redirect command.
It seem that there is no good way to show friend info to client. - hoolioThat's a good point. F5's answer was to create a hotfix (CR125264) which allows use of HTTP::respond in the CLIENTSSL_HANDSHAKE event. The hotfix is built for 9.4.8 and might be available for 10.x as well. You can contact F5 Support to request this fix.
Aaron
