Forum Discussion
Anderson_Castro
Oct 22, 2014Nimbostratus
when RULE_INIT {
set ::key [AES::key 128]
}
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
use the following logging line for troubleshooting only
log local0. "Client Address: [IP::client_addr]"
}
when CLIENTSSL_CLIENTCERT {
Check certificate validity
if {[SSL::cert count] > 0}{
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
Set results in the session so they are available to other events
0=The certificate, 1=The validation error, 2=Revocation status
set ssl_stuff [list anything1 anything2 anything3]
lset ssl_stuff 0 $ssl_cert
lset ssl_stuff 1 $ssl_errstr
lset ssl_stuff 2 ""
session add ssl [SSL::sessionid] $ssl_stuff 5400
Check revocation status of the certificate with the OCSP servers
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
set id [SSL::sessionid]
SSL::handshake hold
} else {
log local0. "No certificate provided"
}
Log results
log local0. "Client IP: [IP::remote_addr]"
}
when AUTH_RESULT {
AUTH::status values:
https://clouddocs.f5.com/api/irules/AUTH__status.html
0 = success
1 = failure
-1 = error
2 = not-authed
if {[AUTH::status] == 0} {
log local0. "AUTH_SUCCESS"
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
log local0. "OCSP servers say the certificate is good"
lset ssl_stuff 2 "success"
}
} elseif { [AUTH::status] == -1} {
log local0. "AUTH_ERROR"
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
log local0. " An error occurred communicating with the OCSP servers"
lset ssl_stuff 2 "error"
}
} else {
log local0. "AUTH_FAILURE"
if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {
log local0. " OCSP servers say the certificate was revoked"
lset ssl_stuff 2 "failure"
}
}
SSL::handshake resume
session add ssl $id $ssl_stuff
}
when HTTP_REQUEST {
Retrieve certificate information from the session
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
log statements below are to allow admin to view cert results through logs
log local0. "Client IP [IP::remote_addr] connected with the Client Certificate: [X509::subject $ssl_cert], requesting: [HTTP::method]/[HTTP::host][HTTP::uri], browser: [HTTP::header User-Agent], Referer: [HTTP::header exists Referer], HTTP version [HTTP::version], Persitance Cookie: [HTTP::cookie exists JSESSIONID], SSL: [SSL::cipher name]/[SSL::cipher version]/[SSL::cipher bits]"
if { $ssl_stuff2 == "" } {
log local0. "No certificate was supplied, redirecting"
log local0. "Cert Auth = Failed"
HTTP::redirect "http://www.bnymellon.com.br/custerr/403-7.htm"
} else {
A certificate was supplied
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
set ssl_revoke2 [lindex $ssl_stuff2 2]
log local0. "Certificate Information, Trusted Certificate Validation: $ssl_errstr2, OCSP Revocation Statue: $ssl_revoke2"
if { $ssl_errstr2 eq "ok" } {
The certificate has passed Trusted Certificate Validation
Below are the OCSP states
switch $ssl_revoke2 {
"error" {
An error occurred communicating with the OCSP servers
HTTP::redirect "http://www.bnymellon.com.br/custerr/403-13.htm"
log local0. "OCSP error was redirected"
}
"failure" {
version of verisign cert is not in OCSP server--must allow without verifying revocation status
if { [X509::issuer $ssl_cert2] contains "OU=Geotrust" } {
log local0. "Cert is from verisign, Cert issuer - [X509::issuer $ssl_cert2]"
HTTP::header insert CertAuth "Pass"
HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
} else {
The cert was actually in OCSP server as a revoked cert
HTTP::redirect "http://10.1.1.1/revokedcert.html"
HTTP::redirect "http://www.bnymellon.com.br/custerr/403-13.htm"
log local0. "Revoked certificate was redirected"
}
}
"success" {
The certificate is valid, the user is authenticated.
Add the certificate subject so the web servers can lookup the
the user's account and priviledges
HTTP::header insert CertAuth "Pass"
HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]
}
default {
We should not get here, I don't know what happened
log local0.error "Invalid revocation status = $ssl_revoke2"
reject
}
}
} else {
The certificate was invalid.
we should not get here
HTTP::redirect "http://www.bnymellon.com.br/custerr/403-7.htm"
log local0. "Invalid certificate was redirected"
}
}
}
____________