Zafer,
Can you clarify how you were testing? Do you have the client SSL profile client cert option set to require or request? What type of test did you try when you encountered the issue?
Can you try this version of the client cert header insert rule. I think it covers more cases than the original version:
client_cert_header_insert_rule
when CLIENTSSL_CLIENTCERT {
Check if client presented at least one cert
if {[SSL::cert count] > 0}{
Insert the following fields in the session table with a timeout of 7200 seconds:
Do the processing now as opposed to in HTTP_REQUEST as there
can be many HTTP requests using the same SSL session ID
Index - item
0 - base64 encoding of the client SSL cert
1 - serial number of the cert
2 - the verification status text for the client cert against the client SSL profile's root CA cert
session add ssl [SSL::sessionid] [list \
[SSL::verify_result] \
[b64encode [SSL::cert 0]] \
[X509::serial_number [SSL::cert 0]] \
] 7200
log local0. "[IP::client_addr]:[TCP::client_port]: Added session data for cert. Status:\
[X509::verify_cert_error_string [lindex [session lookup ssl [SSL::sessionid]] 0]] with key [SSL::sessionid]"
}
}
when HTTP_REQUEST {
Check if SSL session ID is in the cache (SSL::sessionid returns 64 zeroes if it's not)
if {[SSL::sessionid] ne "0000000000000000000000000000000000000000000000000000000000000000"}{
Get the session table entry (a TCL list) for this session ID
set session_data [session lookup ssl [SSL::sessionid]]
Check if the first element of the session table entry for this session ID is 0 (status for successful cert validation)
if {[lindex $session_data 0] == 0}{
log local0. "[IP::client_addr]:[TCP::client_port]: Valid cert per session table entry. Inserting cert details in HTTP headers."
Insert cert details in the HTTP headers
HTTP::header insert SSLClientCertStatus "ok"
HTTP::header insert SSLClientCertb64 [lindex $session_data 1]
HTTP::header insert SSLClientCertSN [lindex $session_data 2]
Exit this event in this rule
return
}
}
If we're still in this rule, cert wasn't valid
so send HTTP 302 redirect to an error page
HTTP::respond "http://[HTTP::host]/cert_error.html"
log local0. "[IP::client_addr]:[TCP::client_port]: No or invalid cert from client."
}
Aaron