Forum Discussion

Kristof_Goossen's avatar
Kristof_Goossen
Icon for Nimbostratus rankNimbostratus
Sep 21, 2010

SSL renegotiate issue in IE

Hi,

 

 

I am using an iRule to trigger client cert authentication on specific URL's. The idea is to invalidate a current (single side authenticated SSL session) and renegotiate a mutual SSL session. This is working fine for firefox, but gives some issues in IE (tested in IE7 and IE8). Sometimes the setup is working as expected, but sometimes, the browser cannot connect after renegotiating the session.

 

 

When it works, the session is invalidated, and the browser returns and negotiates a mutual SSL session (we see a CLIENT_CONNECT event, and subsequent events in the logging). However, when the setup fails, a locally generated page is shown in the browser (see attachment) and it seems the SSL session cannot be set up. The client seems not to come back from the BigIP point of view.

 

 

The code in the iRule looks like this:

 

 

Check if the request is to a page which requires a client SSL certificate

 

if {[matchclass [HTTP::path] starts_with $::triggerURLs]}{

 

Save the requested URI for logging in subsequent events

 

set requested_uri [HTTP::uri]

 

 

Track that this is a request for a restricted URI

 

set need_cert 1

 

if {$loglevel > 0}{log local0.info "$log_prefix Request to restricted path: [HTTP::path]. \$need_cert: $need_cert"}

 

if {$loglevel > 2} {log local0.info "$log_prefix Checking Session - $sslSessionID"}

 

 

Hold the HTTP request until the SSL re-negotioation is complete

 

if {$loglevel > 5}{log local0.info "$log_prefix HTTP::COLLECT - [HTTP::method]"}

 

HTTP::collect

 

 

Force renegotiation with client certificate

 

SSL::session invalidate

 

SSL::authenticate once

 

SSL::authenticate depth 9

 

SSL::cert mode request

 

SSL::renegotiate

 

 

if {$loglevel > 0}{log local0.info "$log_prefix Restricted path ([HTTP::uri]). Requesting client Cert."}

 

}

 

 

A login page posts to a URL in the triggerURLs list, and initiates the authentication. When I disable the CSS on that login page, the issue cannot be reproduced. (Strange behaviour that I don't understand). I tried to limit simultane connections for IE to 1, but it did not solve the issue.

 

 

I built a similar environment (single side SSL page that posts to a mutual SSL page) with apache, but in that setup I could not reproduce the issue.

 

 

Any help would be much appreciated!

 

 

application delivery
dev
devops
iRules
No RepliesBe the first to reply