Forum Discussion
Verify Valid Client Certificate
Have a current 4.x config as follows:
proxy 10.10.10.6:443 unit 1 {
target virtual 127.0.201.6:80
clientssl enable
clientssl key test.key
clients...
I thought I would just add another rule I obtained from the ENEs. This rule did not work in my customer's environment (they're using the previous rule in this post) but thought I would include it here. It would be nice to know which rule is more efficient/secure/etc. Basically what are the pros/cons of each.
custom auth rule. tracks the OCSP responder's result in the SSL session table.
rule oscp_authonly_gomes {
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
}
when CLIENTSSL_CLIENTCERT {
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
set id [SSL::sessionid]
}
when AUTH_SUCCESS {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
set Z "success"
session add ssl $id $Z
}
}
when AUTH_FAILURE {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
set Z "redirect"
session add ssl $id $Z
}
}
when AUTH_WANTCREDENTIAL {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
reject
}
}
when AUTH_ERROR {
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
SSL::handshake resume
set Z "redirect"
session add ssl $id $Z
}
}
}
http rule that checks the ssl session table for the OCSP responder's result rule ocsp_http {
when HTTP_REQUEST {
set id [SSL::sessionid]
set y [session lookup ssl $id]
log local0. "y is: $y"
if { $y contains "redirect" }{
HTTP::redirect "http://192.168.104.25/certerror.html"
}
}
}
