Looking for an Irule to enforce ssl client authentication and then pass ssl certificate details to the backend server
Hi I used the below irlue: when CLIENTSSL_CLIENTCERT { log local0. "start CLIENTSSL_CLIENTCERT" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] log local0. "end CLIENTSSL_CLIENTCERT" }
when HTTP_REQUEST { log local0. "start HTTP_REQUEST, uri is [HTTP::uri]" if { [HTTP::uri] eq "/server.htm" } { log local0. "/server.htm detected!" if { [SSL::cert count] == 0} { log local0. "no certificate found... force SSL" SSL::cert mode require SSL::renegotiate log local0. "end HTTP_REQUEST" } } else { log local0. "certificate found!" set the_cert [SSL::cert 0] set pkiSubject [X509::subject $the_cert] set pkiIssuer [X509::issuer $the_cert] HTTP::header insert CLIENTSSL_Status [SSL::verify_result] HTTP::header insert CLIENTSSL_StatusString [X509::verify_cert_error_string [SSL::verify_result]] HTTP::header insert CLIENTSSL_CN $pkiSubject HTTP::header insert CLIENTSSL_SSLIssuer $pkiIssuer HTTP::header insert CLIENTSSL_SSLClientCertSN [X509::serial_number $the_cert] HTTP::header insert CLIENTSSL_Cert [b64encode $the_cert] } }
I get request to provide certificate while requsting server.htm, but the header are not inserted on the get request forwarded to the server. I run tcpdump and get the below: ..P.......GET /server.htm HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US,he-IL;q=0.7,he;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 192.168.3.100 If-Modified-Since: Tue, 28 Oct 2014 21:19:37 GMT If-None-Match: "120851-14-50682345b18a4" Connection: Keep-Alive
I'm using LTM 11.4
how can I resolve the problem?