Forum Discussion
Kevin_Stewart
Nov 15, 2013Employee
You'll necessarily want to do this in your auth rule, so here's a minor modification that should work for you:
when CLIENT_ACCEPTED {
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] > 0 } {
set tmm_auth_ssl_ocsp_done 0
if {$tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
if {[info exists tmm_auth_subscription]} {
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
}
}
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
SSL::handshake hold
} else {
no cert
set NOCERT 1
SSL::session invalidate
}
}
when CLIENTSSL_HANDSHAKE {
set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
set tmm_auth_status [AUTH::status]
if {$tmm_auth_status == 0} {
set tmm_auth_ssl_ocsp_done 1
SSL::handshake resume
} elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
reject
}
}
}
when HTTP_REQUEST {
if { [info exists NOCERT] } {
HTTP::redirect "http://www.yahoo.com"
}
}