session {add|delete} ssl question

Question

I found this code from Code Share. 
&nbsp;  
&nbsp;  
 rule c_cert_session { 
 when RULE_INIT { 
   set ::key [AES::key 128] 
   log local0. "the key is:  $::key" 
 } 
  
 when CLIENTSSL_CLIENTCERT { 
  session add ssl [SSL::sessionid] [X509::verify_cert_error_string [SSL::verify_result]] 180 
 } 
  
 when HTTP_REQUEST { 
   set id [SSL::sessionid] 
   set y [session lookup ssl $id] 
   if { $y ne "" } { 
     set z [b64encode [AES::encrypt $::key $y]] 
     log local0.  "z is:  $z" 
     session delete ssl $id 
   } elseif { [HTTP::cookie exists ClientZ]} { 
     HTTP::header insert ClientCert  [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]] 
     log local0.  "Inserting HTTP header ClientCert:   [AES::decrypt $::key [b64decode [HTTP::cookie ClientZ]]]" 
   } else { 
     set z [b64encode [AES::encrypt $::key none]] 
     log local0.  "no session, no cookie.  z is:  $z" 
   } 
 } 
  
 when HTTP_RESPONSE { 
   if { [info exists z ]} { 
     log local0.  "in http response Z is: $z" 
     HTTP::header insert "Set-Cookie ClientZ=$z" 
   } 
  } 
 } 
  
&nbsp;  
&nbsp; Questions: 
&nbsp; a) why is session deleted in HTTP_REQUEST? 
&nbsp; b) what is whole syntax for session {...} ssl command? 
&nbsp; c) how to make sure that client has smart card still in reader during whole session? 
&nbsp;  
&nbsp;

unruley_95363 · Answer

Answer: 
&nbsp; a) The rule was constructed to search the session table first and only if an entry wasn't found, look for the cookie.  Because of this, the session entry needs to be deleted when switching to the cookie.  This could easily be reworked to check for the cookie first, though you might risk getting an outdated cookie. 
&nbsp;  
&nbsp; b) 
&nbsp; session add ssl   []  
&nbsp; session lookup ssl  
&nbsp; session delete ssl  
&nbsp;  
&nbsp; c) I have no idea.  Maybe someone who is more familiar with how a client browser works with the smart cards can shed some light on this question. &nbsp;

bl0ndie_127134 · Answer

Have you considered forcing a SSL re-negotiation after a certain time out has been reached? Here is an example ...  
    
  when CLIENT_ACCEPTED {  
     set http_collect 0  
  }  
    
  when HTTP_REQUEST {  
     if {[HTTP::request_num] &gt; 10} {  
        SSL::renegotiate  
        HTTP::collect  
        set http_collect 1  
     }  
  }  
    
  when CLIENTSSL_HANDSHAKE {  
    if {$http_collect == 1} {  
       set http_collect 0  
       HTTP::release  
    }  
  }

You will at least be able to verify that the client still has the card.

Forum Discussion

session {add|delete} ssl question

2 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

Health monitor question

F5 Connection Mirroring question

Novice Question - irules

Agility sessions announced

irule logging question