Forum Discussion

Laurent_53635's avatar
Laurent_53635
Icon for Nimbostratus rankNimbostratus
Mar 13, 2008

SSL Certificate client authentication irule

Hi all,

 

 

I am a LTM newbie and I'm pretty sure my question looks stupid but may be you can help me.

 

 

We have implementeda B-IP LTM with an https virtual server which require client certificate authnetification. It isdefined in a client SSL profile.

 

 

To imprrove support, we woul like to replace the standard error message "page cannot be displayed" by redirection a web mail chich give more information.

 

 

The 2 place irule winner "OCSP Authentication error redirect" seems to cover my need but when i want to apply this irule to my virtual server, it asks me to add an authentication profile.

 

 

To be honest, I have no idea which information I have to set inside a authentication profile in that case.

 

 

If you can help me.

 

 

Thanks

 

 

Hev a nice day.

 

 

Laurent
application delivery
dev
devops
iRules
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Mar 13, 2008
    Hi,

     

     

    The thing is that if you need an authentication profile, you'll need the add on licence for authentication.

     

     

    Have you check if you have this add on ?
  • Laurent_53635's avatar
    Laurent_53635
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2008
    Hi,

     

     

    Thanks for your help,

     

     

    I have the licence "Client Authentication" and inside authentication profile, the only "parent" I can select is "ssl_cc_ldap" which is interesting but in my view not required for this irule.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 14, 2008
    This iRule is meant to be used in an OCSP authentication profile. Conceivably you could modify it to work in an HTTP iRule, but you'd need to strip out all of the AUTH events and do everything in HTTP_REQUEST. The only error you'd be able to capture is the certificate expired, which may or may not work depending on the LTM version. In an OCSP AUTH profile, you can also capture certificate invalids and revoked.

    As an alternative, you could use/modify this simpler iRule:

    
when CLIENTSSL_CLIENTCERT {
check the status of the client certificate
store the value in the session table
session add ssl [SSL::sessionid][X509::verify_cert_error_string [SSL::verify_result]] 21600
}
when HTTP_REQUEST {
set id [SSL::sessionid]
look up session to find cert status
if status is ok, insert a header
set y [session lookup ssl $id]
if { $y contains "ok" } {
HTTP::header insert SSLClientCertStatus $y
} else {
HTTP::redirect  
-OR-
HTTP::respond 200 content "Error Page..."
}
}

    Kevin