i think about it again and since SS::cert is applied to lifetime of ssl session. so, i do not think session table is needed.
SSL::cert wiki
https://devcentral.f5.com/wiki/irules.SSL__cert.ashx
therefore, what about something like this?
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.252:443
ip protocol 6
rules myrule
profiles {
http {}
myclientssl {
clientside
}
tcp {}
}
}
[root@ve10:Active] config b profile myclientssl list
profile clientssl myclientssl {
defaults from clientssl
ca file "caroot.crt"
client cert ca "default.crt"
peer cert mode require
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
if { [X509::verify_cert_error_string [SSL::verify_result]] eq "ok" } {
HTTP::header insert ClientSSL_subject [X509::subject [SSL::cert 0]]
HTTP::header insert ClientSSL_serial [X509::serial_number [SSL::cert 0]]
HTTP::header remove "If-Modified-Since"
} else {
do something
}
}
}
[root@ve10:Active] config ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(33858) <-> 172.28.19.252(443)
1 1 1370373595.5790 (0.0247) C>S SSLv2 compatible client hello
1 2 1370373595.5791 (0.0000) S>CV3.1(49) Handshake
1 3 1370373595.5791 (0.0000) S>CV3.1(953) Handshake
1 4 1370373595.5791 (0.0000) S>CV3.1(165) Handshake
1 5 1370373595.5791 (0.0000) S>CV3.1(4) Handshake
1 6 1370373595.7061 (0.1270) C>SV3.1(1489) Handshake
1 7 1370373595.7061 (0.0000) C>SV3.1(262) Handshake
1 8 1370373595.7061 (0.0000) C>SV3.1(518) Handshake
1 9 1370373595.7061 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 10 1370373595.7061 (0.0000) C>SV3.1(36) Handshake
1 11 1370373595.7284 (0.0222) S>CV3.1(1) ChangeCipherSpec
1 12 1370373595.7284 (0.0000) S>CV3.1(36) Handshake
1 13 1370373595.7302 (0.0017) C>SV3.1(176) application_data
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*
---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(33858) <-> 200.200.200.101(80)
1370373595.7320 (0.0013) C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*
ClientSSL_subject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientSSL_serial: 01
---------------------------------------------------------------