Forum Discussion
RiverFish
Altostratus
AltostratusTurn off client auth if uri equals
Customers connect to one IP. They connect with an app, not a browser. They use port 5443 to register (obtain a cert we issue) for the service, and port 443 for the actual service.
register: https:/...
Zdenda
Cirrus
CirrusHi, I need to revive this topic.
I got request to configure LB to ask for client certificate when client goes to certain path, but NOT to ask in any another case. It means I cannot use "Client certificate - Request", but "Client certificate - Ignore" as default method in ssl profile.
I tried some iRules when example was taken from here and from the last post in this channel.
My current iRule is as follows:
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0} { set cert_count 1 }
else { set cert_count 0}
set ssl_status_code [SSL::verify_result]
set ssl_status_desc [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "$ssl_status_code $ssl_status_desc, cert_count = $cert_count"
}
when HTTP_REQUEST {
if { [info exists cert_count] } {
return
}
else {
set cert_count 0
}
Reject requests to the service if a cert was not presented
if { [HTTP::host] eq "fqdn.com" and [string tolower [HTTP::path]] starts_with "/secure_path" } {
if {$cert_count == 0}{
log local0. "1 - RENEGOTIATE cert_count = $cert_count, hostname: [HTTP::host][HTTP::uri]"
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
} elseif {$cert_count == 1 and $ssl_status_code == 0}{
log local0. "2 - ACCEPT cert_count = $cert_count, \$ssl_status_code = $ssl_status_code, hostname: [HTTP::host][HTTP::uri]"
scrub existing headers
HTTP::header remove chain
HTTP::header remove client
HTTP::header remove testCert
HTTP::header remove ClientCert-Subject
HTTP::header remove SSLClientCertSubject
HTTP::header remove SSLClientCertThumbprint
insert cert subject
HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]
}
else {
HTTP::respond 403 "Test page, you are rejected"
log local0. "3 - REJECT cert_count = $cert_count, hostname: [HTTP::host][HTTP::uri]"
}
}
else {
return
}
}
It is not working because of variable cert_count. Eventhough it has value 1 in CLIENTSSL_CLIENTCERT part, it looks like it does not exists at all in HTTP_REQUEST part. Anyway, I think main reason is that I use Ignore as value of CLient Certificate in SSL profile, so then it looks it is somehow very hard to make user to renegotiate properly and show the cert.
I am surprised all solutions comes with default method "Request" in ssl profile, but this way client gets option to select which client certificate to choose, and that is reasn why we cant use it as basic/default value in profile.