For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mathew_58739's avatar
Mathew_58739
Icon for Nimbostratus rankNimbostratus
Dec 19, 2008

SSL ClientCert validation

I have an iRule that I am attempting to write that will validate a client SSL certificate. If an error is found, log it and deliver a custom http::respond. I can get the http::respond to work all by ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 19, 2008
Hi,

 

 

You're using a global variable to track whether the cert is valid or not. The global variable could be modified from every TCP connection of every client.

 

 

You might be better off adding the SSL session ID to the session table in CLIENTSSL_CLIENTCERT with a flag on whether it was valid or not. Then in HTTP_REQUEST you could look up the session table entry using the SSL session ID and send a response if it's a bad session ID. You can use a Codeshare example as a template for this:

 

 

Insert Cert In Server Headers (Click here)

 

 

Also, you don't need to use subst when sending the HTTP response. It's only used if you're trying to force a escaped characters to be interpreted within the response content.

 

 

Lastly, you shouldn't unset the ::response variable as you'll need to reference it every time you find an invalid SSL session ID.

 

 

Aaron