Erki_Märks_2779
Dec 14, 2007Nimbostratus
Client authentication
The problem is that with this irule, we have to make java servlet to refresh the request, otherwise it doesn't send the cert information to the application server. Can anyone help me to edit this irule so that it will send the client cert information with the first request?
when CLIENT_ACCEPTED {
set gotcert 0
SSL::profile client_cert_optional
}
when CLIENTSSL_CLIENTCERT {
set sslc [SSL::cert 0]
set ssle [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_stuff [list $sslc $ssle]
session add ssl [SSL::sessionid] $ssl_stuff 180
set gotcert 1
}
when CLIENTSSL_HANDSHAKE {
HTTP::release
}
when HTTP_REQUEST {
set request [HTTP::request]
set uri [HTTP::uri]
switch -regexp $uri {
^/(login|admin/login|etc.)/$ {
if { [SSL::cert count] == 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 3
SSL::cert mode require
SSL::renegotiate
set y [session lookup ssl [SSL::sessionid]]
set ssl_cert [lindex $y 0]
set ssl_ok [lindex $y 1]
if { $ssl_ok contains "ok" } {
HTTP::header insert ClientCertExtensions [X509::extensions $ssl_cert]
HTTP::header insert ClientCertHash [X509::hash $ssl_cert]
HTTP::header insert SSLCLientCertStatus $ssl_ok
HTTP::header insert "CLIENT_IP" [IP::client_addr]
HTTP::header insert "SSL_CLIENT_M_SERIAL" [X509::serial_number $ssl_cert]
HTTP::header insert "SSL_CLIENT_I_DN" [X509::issuer $ssl_cert]
HTTP::header insert "SSL_CLIENT_S_DN" [X509::subject $ssl_cert]
HTTP::header insert "SSL_CLIENT_I_DN_x509" [X509::issuer $ssl_cert]
HTTP::header insert "SSL_CLIENT_CERT" [X509::whole $ssl_cert]
HTTP::header insert "SSL_CLIENT_M_VERSION" [X509::version $ssl_cert]
HTTP::header insert "SSL_CLIENT_V_START" [X509::not_valid_before $ssl_cert]
HTTP::header insert "SSL_CLIENT_V_END" [X509::not_valid_after $ssl_cert]
HTTP::header insert "SSL_CLIENT_VERIFY" "SUCCESS"
log [X509::whole $ssl_cert]
}
}
}
}
}