Spela_317265
Oct 25, 2017Nimbostratus
iRule to redirect user with incorrect certificate to specific url
Hello,
I'm writing iRule, which sould redirect user to specific uri, if user don't have cert or have incorrect cert. Client ssl profile client authentication is set to "ignore". I want to redirect user with incorrect cert to "https://[HTTP::host]/index.php?id=14", which is the only uri, that works without cert auth. HTTP respond or redirect in event "when HTTP_REQUEST_SEND" does not work, but logging does ("No or invalid client Certificate!").
Browser response when I choose incorect cert:
" This site can’t provide a secure connection
sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR "
Code:
when CLIENTSSL_CLIENTCERT {
HTTP::release
if { [SSL::cert count] < 1 } {
log local0. "No client Certificate!"
}
}
when HTTP_REQUEST {
if { [HTTP::uri] ne "/index.php?id=14" }{
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}
if { [HTTP::uri] eq "/index.php?id=14" }{
log local0. "uri eq id=14"
pool XYZ-POOL
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]]
log local0. "http header insert completed"
}
else {
log local0. "No or invalid client Certificate!"
HTTP::redirect "https://www.xyz.com/index.php?id=14"
HTTP::respond 302 Location "https://[HTTP::host]/index.php?id=14"
}
}
}
Best regards,
Spela