Forum Discussion
garfield831_116
Mar 08, 2013Nimbostratus
I changed some names and IPs to xxxx
ltm rule /Common/insert_ssl_session_id {
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800
}
when HTTP_REQUEST {
if { [SSL::cert count] < 1 } {
SSL::authenticate once
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
} else {
set values [session lookup uie [SSL::sessionid] ]
if { [lindex $values 0] != "" } {
HTTP::header insert XClientSSL_Serial [lindex $values 0]
log local0. "Inserting Serial [lindex $values 0]"
HTTP::header insert XClientSSL_Issuer [lindex $values 1]
log local0. "Inserting Issuer [lindex $values 1]"
HTTP::header insert XClientSSL_Subject [lindex $values 2]
log local0. "Inserting Subject [lindex $values 2]"
HTTP::header insert XVersion [lindex $values 3]
log local0. "Inserting Version [lindex $values 3]"
}
}
}
}
ltm virtual /Common/xxxx_VS_y.y.y.y {
destination /Common/y.y.y.y:443
http-class {
/Common/xxxx
}
ip-protocol tcp
mask 255.255.255.255
pool /Common/xxxx_NET_POOL
profiles {
/Common/xxxx_TCP_profile { }
/Common/xxxx {
context clientside
}
/Common/xxxxx {
context serverside
}
/Common/http_x_forwarded_for { }
}
rules {
/Common/insert_ssl_session_id
}
snat automap
translate-address enabled
translate-port enabled
vlans {
/Common/xxx
}
vlans-enabled
}
ltm profile client-ssl /Common/xxxxx_client {
app-service none
cert /Common/xxxxx_cert.crt
defaults-from /Common/clientssl
key /Common/xxxxx_cert.key
options { no-session-resumption-on-renegotiation }
renegotiate-max-record-delay 100
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation request
}