ssl ocsp Irule help needed

Below is my Irule:

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

use the following logging line for troubleshooting only

 

log local0. "Client Address: [IP::client_addr]"

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

Check certificate validity

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

 

Set results in the session so they are available to other events

 

0=The certificate, 1=The validation error, 2=Revocation status

 

set ssl_stuff [list anything1 anything2 anything3]

 

lset ssl_stuff 0 $ssl_cert

 

lset ssl_stuff 1 $ssl_errstr

 

lset ssl_stuff 2 ""

 

session add ssl [SSL::sessionid] $ssl_stuff 180

 

 

Check revocation status of the certificate with the OCSP servers

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

set id [SSL::sessionid]

 

SSL::handshake hold

 

 

Log results

 

log local0. "Client IP: [IP::remote_addr]"

 

}

 

 

 

 

when AUTH_SUCCESS {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

OCSP servers say the certificate is good

 

SSL::handshake resume

 

lset ssl_stuff 2 "success"

 

session add ssl $id $ssl_stuff

 

}

 

}

 

 

when AUTH_FAILURE {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

OCSP servers say the certificate was revoked

 

SSL::handshake resume

 

lset ssl_stuff 2 "failure"

 

session add ssl $id $ssl_stuff

 

}

 

}

 

 

when AUTH_ERROR {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

An error occurred communicating with the OCSP servers

 

SSL::handshake resume

 

lset ssl_stuff 2 "error"

 

session add ssl $id $ssl_stuff

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

OCSP servers want more info?

 

reject

 

}

 

}

 

 

when HTTP_REQUEST {

 

Retrieve certificate information from the session

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

 

log statements below are to allow admin to view cert results through logs

 

log local0. "Client IP: [IP::remote_addr], requesting: [HTTP::method]/[HTTP::host][HTTP::uri], browser: [HTTP::header User-Agent], Referer: [HTTP::header exists Referer], HTTP version [HTTP::version], Persitance Cookie: [HTTP::cookie exists JSESSIONID], SSL: [SSL::cipher name]/[SSL::cipher version]/[SSL::cipher bits]"

 

 

 

if { $ssl_stuff2 == "" } {

 

No certificate was supplied, set CertAuth to "Fail" so the

 

webservers know the user was not authenticated via OCSP

 

log local0. "Cert Auth = Failed"

 

HTTP::header insert CertAuth "Fail"

 

} else {

 

A certificate was supplied

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

set ssl_revoke2 [lindex $ssl_stuff2 2]

 

log local0. "Certificate Information, Trusted Certificate Validation: $ssl_errstr2, OCSP Revocation Statue: $ssl_revoke2"

 

 

if { $ssl_errstr2 eq "ok" } {

 

The certificate has passed Trusted Certificate Validation

 

Below are the OCSP states

 

switch $ssl_revoke2 {

 

"error" {

 

An error occurred communicating with the OCSP servers

 

HTTP::redirect "http://10.1.1.1/errorcert.html"

 

log local0. "OCSP error was redirected"

 

}

 

"failure" {

 

version of verisign cert is not in OCSP server--must allow without verifying revocation status

 

if { [X509::issuer $ssl_cert2] contains "OU=verisign" } {

 

log local0. "Cert is from verisign, Cert issuer - [X509::issuer $ssl_cert2]"

 

HTTP::header insert CertAuth "Pass"

 

HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]

 

} else {

 

The cert was actually in OCSP server as a revoked cert

 

HTTP::redirect "http://10.1.1.1/revokedcert.html"

 

log local0. "Revoked certificate was redirected"

 

}

 

}

 

"success" {

 

The certificate is valid, the user is authenticated.

 

Add the certificate subject so the web servers can lookup the

 

the user's account and priviledges

 

HTTP::header insert CertAuth "Pass"

 

HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]

 

}

 

default {

 

We should not get here, I don't know what happened

 

log local0.error "Invalid revocation status = $ssl_revoke2"

 

reject

 

}

 

}

 

} else {

 

The certificate was invalid.

 

we should not get here

 

HTTP::redirect "http://10.1.1.1/invalidcert.html"

 

log local0. "Invalid certificate was redirected"

 

}

 

}

 

}

 

 

 

 

Thanks again for any help!

 

rob