For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Laurent_53635's avatar
Laurent_53635
Icon for Nimbostratus rankNimbostratus
Mar 13, 2008

SSL Certificate client authentication irule

Hi all,     I am a LTM newbie and I'm pretty sure my question looks stupid but may be you can help me.     We have implementeda B-IP LTM with an https virtual server which require client ...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 14, 2008
This iRule is meant to be used in an OCSP authentication profile. Conceivably you could modify it to work in an HTTP iRule, but you'd need to strip out all of the AUTH events and do everything in HTTP_REQUEST. The only error you'd be able to capture is the certificate expired, which may or may not work depending on the LTM version. In an OCSP AUTH profile, you can also capture certificate invalids and revoked.

As an alternative, you could use/modify this simpler iRule:


when CLIENTSSL_CLIENTCERT {
check the status of the client certificate
store the value in the session table
session add ssl [SSL::sessionid][X509::verify_cert_error_string [SSL::verify_result]] 21600
}
when HTTP_REQUEST {
set id [SSL::sessionid]
look up session to find cert status
if status is ok, insert a header
set y [session lookup ssl $id]
if { $y contains "ok" } {
HTTP::header insert SSLClientCertStatus $y
} else {
HTTP::redirect  
-OR-
HTTP::respond 200 content "Error Page..."
}
}

Kevin