Forum Discussion
17 Replies
Sort By
- Colin_Walker_12Historic F5 AccountTidux,
- unRuleY_95363Historic F5 AccountJust as a general note, if you want to store more than one thing in the session table, you would first need to build a list containing each thing. Then store the list in the session table.
lset my_ssl_stuff {[SSL::cert 0] [X509::verify_cert_error_string [SSL::verify_result]]} session add ssl [SSL::sessionid] $my_ssl_stuff 180
set my_ssl_stuff [session lookup ssl [SSL::sessionid]] set ssl_cert [lindex $my_ssl_stuff 0] set ssl_errstr [lindex $my_ssl_stuff 1]
- Tidux_92112NimbostratusThanks to Colin and unRuleY.
when CLIENTSSL_CLIENTCERT { set ssl_stuff [list anything1 anything2] set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] lset ssl_stuff 0 $ssl_cert lset ssl_stuff 1 $ssl_errstr session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] } else { HTTP::redirect http://192.168.0.64/error.html } }
lset my_ssl_stuff {[SSL::cert 0] [X509::verify_cert_error_string [SSL::verify_result]]} session add ssl [SSL::sessionid] $my_ssl_stuff 180
- Ryan_Segura_110NimbostratusI modified the example to show some more client SSL variables, does this sound right?
when CLIENTSSL_CLIENTCERT { set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2] HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2] HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2] } else { HTTP::redirect http://192.168.0.64/error.html } }
- Joe_PruittCirrostratusLooks good to me. Have you tried it out?
- Ryan_Segura_110NimbostratusI guess I have some more questions.
- Matthew_Newby_2NimbostratusRyan, Joe, tidux, anyone else -- have any of you gotten this to work? This is almost exactly what we're trying to do here, but have been summarily unsuccessful in accomplishing. Our code for the iRule looks like this (almost exactly like the code an earlier poster was trying to run, except we're not doing the redirect at the end):
when CLIENTSSL_CLIENTCERT { set ssl_cert [SSL::cert 0] set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]] set ssl_stuff [list $ssl_cert $ssl_errstr] session add ssl [SSL::sessionid] $ssl_stuff 180 } when HTTP_REQUEST { set ssl_stuff2 [session lookup ssl [SSL::sessionid]] set ssl_cert2 [lindex $ssl_stuff2 0] set ssl_errstr2 [lindex $ssl_stuff2 1] if { $ssl_errstr2 eq "ok" } { HTTP::header insert SSLClientCertStatus $ssl_errstr2 HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2] HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2] HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2] HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2] HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2] } else { HTTP::header insert SSLClientCertError "Matt caught an error" } }
- Tidux_92112NimbostratusMaybe you should add some "log" to verify the data that BIP inserted into HTTP header, like this:
if { $ssl_errstr2 eq "ok" } { set sn [X509::serial_number $ssl_cert2] log $sn HTTP::header insert SSLClientCertSN $sn ....
- Robert_Decker_2NimbostratusI was hoping somebody could help me out with this. I would like to send the same certificate information to our web servers. My main problem is that I receive a “page cannot be displayed” 400 bad request error with the following code:
- Robert_Decker_2NimbostratusI was able to make the Irule work after I dropped the following line: