Forum Discussion

Reddy1's avatar
Reddy1
Icon for Altostratus rankAltostratus
Apr 20, 2020

SSL Errors for mutual auth irule

Hi ,

 

We have the requirement to enforce the mutual-auth (client cert) based on the incoming uri. The irule is written and it is able to SSL renegotiate and request the cert. The cert is added to the header and sent to the server pool.

 

In the HTTP_RESONSE , able to the see the 302 from the server. however the is ssl connection reset error on the browser. I need help on with the irule event and the log i can add to see the response leaving from the F5 (to the client).

 

when CLIENT_ACCEPTED {

set session_flag 0

set cert "string"

set ccount 0

}

# During SSL handshake, if there is a client cert presented, increases the ccount, and sets the cert

when CLIENTSSL_CLIENTCERT {

# Checks the client cert count.

if { [SSL::cert count] > 0 } {

#log local0. "[IP::client_addr] Setting the cert variable"

# Removes gibberish

set cert [string map -nocase { "-----BEGIN CERTIFICATE-----" "" } [X509::whole [SSL::cert 0]] ]

set cert [string map -nocase { "-----END CERTIFICATE-----" "" } $cert ]

set cert [string map -nocase { " " "" "\n" "" } $cert ]

# Increases the ccount

incr ccount

# Releases the HTTP after the negotiation

HTTP::release

}

}

# During HTTP_REQUEST, checkes cert count, HTTP query. If both conditions are met, triggers the client cert renegotiation.

when HTTP_REQUEST {

# Checks the client cert count.

if { [SSL::cert count] < 1 } {

# Checks if incomming HTTP::uri matches the DGL

if { [class match [string tolower [HTTP::uri]] contains SSO_URI_INCOMMING ]} {

#log local0. "[IP::client_addr] No certificate found. Request certificate"

# Sets client cert negotiation parameters.

SSL::authenticate always

SSL::authenticate depth 9

SSL::cert mode require

SSL::renegotiate enable

SSL::renegotiate

# Holds the HTTP flow until HTTP::release at the end of CLIENTSSL_HANDSHAKE.

HTTP::collect

}

}

}

# Prior to sending the request to the server, insert the cert into the HTTP header.

when HTTP_REQUEST_SEND {

# Checks number of certs negotiated. If at least one, insert the cert into client side HTTP header.

if { $ccount > 0 } {

clientside {

  #log local0. "[IP::client_addr] Inserting certificate into HTTP header"

# Inserting the cert.

HTTP::header insert "CLIENT_CERT" $cert

}

}

}

 

when HTTP_RESPONSE {

 

#log local0. "[HTTP::status]"

}

application delivery
BIG-IP
iRules
log

2 Replies

Sort By
  • ldesfosses's avatar
    ldesfosses
    Icon for Cirrus rankCirrus
    Apr 21, 2020

    What do you have is the log (cat /var/log/ltm) ?

     

    I suspect you are falling under this case :

    https://clouddocs.f5.com/api/irules/HTTP__collect.html :

    This command cannot be called after any Tcl command that sends an HTTP response (e.g. redirect, HTTP::redirect, and HTTP::respond). A run-time error will result.

  • Reddy1's avatar
    Reddy1
    Icon for Altostratus rankAltostratus
    May 01, 2020

    Hi ,

     

    Thanks for the response , I figured the issue, the cert was verified against the CA. We had the right cert and CA file uploaded, it resolved the issue.