Forum Discussion

James_D__376338's avatar
James_D__376338
Icon for Nimbostratus rankNimbostratus
Apr 11, 2019

Using iRule to prompt for Client SSL Cert

Currently we have it configured where the Client SSL profile Requests once for a cert, which prompts the user to authenticate with their piv. This is causing issues with a few edge cases. What I would like to do is move the request into an iRule when the user hits a specific URI query such as below:

when HTTP_REQUEST {

    if { ([URI::query [HTTP::uri]] contains "authenticator=PIVAuthenticator") }{
    }

Any ideas on how to proceed would be greatly appreciated.

application delivery
iRules
LTM
security
  • James_D__376338's avatar
    James_D__376338
    Apr 11, 2019
    when CLIENTSSL_CLIENTCERT {
    HTTP::release
    if { [SSL::cert count] < 1 } {
        reject
    }
}

when HTTP_REQUEST {
    if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{
        if { [SSL::cert count] < 1}{
            HTTP::collect
            SSL::authenticate always
            SSL::authenticate depth 9
            SSL::cert mode require
            SSL::renegotiate
        }

    }
}
when HTTP_REQUEST_SEND {
  clientside {
      if { [SSL::cert count] > 0 } {

        HTTP::header insert "SSLClientCertStatus"               [X509::verify_cert_error_string [SSL::verify_result]]
        HTTP::header insert "SSLClientCertSerialNumber"         [X509::serial_number [SSL::cert 0]]
        HTTP::header insert "SSLClientCertSubject"              [X509::subject [SSL::cert 0]]
        HTTP::header insert "SSLClientCert"                     [X509::whole [SSL::cert 0]]

      }
  }
}
  • James_D__376338's avatar
    James_D__376338
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2019
    when CLIENTSSL_CLIENTCERT {
    HTTP::release
    if { [SSL::cert count] < 1 } {
        reject
    }
}

when HTTP_REQUEST {
    if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{
        if { [SSL::cert count] < 1}{
            HTTP::collect
            SSL::authenticate always
            SSL::authenticate depth 9
            SSL::cert mode require
            SSL::renegotiate
        }

    }
}
when HTTP_REQUEST_SEND {
  clientside {
      if { [SSL::cert count] > 0 } {

        HTTP::header insert "SSLClientCertStatus"               [X509::verify_cert_error_string [SSL::verify_result]]
        HTTP::header insert "SSLClientCertSerialNumber"         [X509::serial_number [SSL::cert 0]]
        HTTP::header insert "SSLClientCertSubject"              [X509::subject [SSL::cert 0]]
        HTTP::header insert "SSLClientCert"                     [X509::whole [SSL::cert 0]]

      }
  }
}