Forum Discussion
James_D__376338
Apr 11, 2019Nimbostratus
Using iRule to prompt for Client SSL Cert
Currently we have it configured where the Client SSL profile Requests once for a cert, which prompts the user to authenticate with their piv. This is causing issues with a few edge cases. What I wou...
- Apr 11, 2019
when CLIENTSSL_CLIENTCERT { HTTP::release if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST { if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{ if { [SSL::cert count] < 1}{ HTTP::collect SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode require SSL::renegotiate } } } when HTTP_REQUEST_SEND { clientside { if { [SSL::cert count] > 0 } { HTTP::header insert "SSLClientCertStatus" [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert "SSLClientCertSerialNumber" [X509::serial_number [SSL::cert 0]] HTTP::header insert "SSLClientCertSubject" [X509::subject [SSL::cert 0]] HTTP::header insert "SSLClientCert" [X509::whole [SSL::cert 0]] } } }
James_D__376338
Apr 11, 2019Nimbostratus
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{
if { [SSL::cert count] < 1}{
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "SSLClientCertStatus" [X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "SSLClientCertSerialNumber" [X509::serial_number [SSL::cert 0]]
HTTP::header insert "SSLClientCertSubject" [X509::subject [SSL::cert 0]]
HTTP::header insert "SSLClientCert" [X509::whole [SSL::cert 0]]
}
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects