Forum Discussion

Mathew_58739's avatar
Mathew_58739
Icon for Nimbostratus rankNimbostratus
Dec 19, 2008

SSL ClientCert validation

I have an iRule that I am attempting to write that will validate a client SSL certificate. If an error is found, log it and deliver a custom http::respond. I can get the http::respond to work all by itself. I can get the client certificate validation to work all by itself. But I cant get them to work together.

 

 

HTTP::respond by itself:

 

when RULE_INIT {

 

set response {

 

 

 

Certificate Deny

 

 

 

Your SSL MA connection was denied.

 

 

Please validate your certificate.

 

 

 

}

 

}

 

when HTTP_REQUEST {

 

HTTP::respond 520 content [subst $::response]

 

}

 

 

Client Certificate validation by itself:

 

when CLIENTSSL_CLIENTCERT {

 

set client_cert [SSL::cert 0]

 

if { [X509::subject $client_cert] contains "emailAddress" }{

 

log local0. "Failed STRATA SSL: [IP::client_addr] & [X509::subject $client_cert]"

 

reject

 

}

 

}

 

 

Combined:

 

when RULE_INIT {

 

set response {

 

 

 

Certificate Deny

 

 

 

Your SSL MA connection was denied.

 

 

Please validate your certificate.

 

 

 

}

 

}

 

when CLIENTSSL_CLIENTCERT {

 

set client_cert [SSL::cert 0]

 

if { [X509::subject $client_cert] contains "emailAddress" }{

 

log local0. "Failed STRATA SSL: [IP::client_addr] & [X509::subject $client_cert]"

 

set ::denycode 0

 

log local0. "DenyCode = $::denycode"

 

}

 

}

 

when HTTP_REQUEST {

 

if { $::denycode == 0 }{

 

HTTP::respond 520 content [subst $::response]

 

}

 

unset ::denycode

 

unset ::response

 

}

 

I can log the rule, and see it working all the way down to the "denycode" variable being created. Nothing below that. Any suggestions...??
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 19, 2008
    Hi,

     

     

    You're using a global variable to track whether the cert is valid or not. The global variable could be modified from every TCP connection of every client.

     

     

    You might be better off adding the SSL session ID to the session table in CLIENTSSL_CLIENTCERT with a flag on whether it was valid or not. Then in HTTP_REQUEST you could look up the session table entry using the SSL session ID and send a response if it's a bad session ID. You can use a Codeshare example as a template for this:

     

     

    Insert Cert In Server Headers (Click here)

     

     

    Also, you don't need to use subst when sending the HTTP response. It's only used if you're trying to force a escaped characters to be interpreted within the response content.

     

     

    Lastly, you shouldn't unset the ::response variable as you'll need to reference it every time you find an invalid SSL session ID.

     

     

    Aaron