InsertCertInServerHeaders

Hi Zafer,

 

What is the method of how you are checking the client cert? It would help if you can post the the entire iRule.

 

 

Bhattman

Nevermind. I never looked at the subject of your post.

 

 

Did you try putting space in the quotes?

 

 

I.E. $ssl_errstr2 eq " "

 

 

Bhattman

Hi bhatman

 

 

i want to inform users this irule not check empty certificate comes from IE (i put link belove).

 

 

http://devcentral.f5.com/Wiki/default.aspx/iRules/InsertCertInServerHeaders.html

 

 

i added this lines these code and it works IE

 

 

} elseif { $ssl_errstr2 eq "" } {

 

HTTP::redirect "http://192.168.0.64/empty.html"

 

log local0. "client: [IP::remote_addr]:[TCP::remote_port] Empty certificate"

 

 

thats all

 

 

bhatman, i have problem with firefox i posted another message into the form, is that possible to help me

 

 

here is my post link

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=813947&view=topic

 

 

regards

 

zafer

I am sorry I am a bit confused because your first posting you had wrote that I.E. didn't work- but now it does? Is Firefox the problem or IE or both?

 

 

Bhattman

 

Zafer,

Can you clarify how you were testing? Do you have the client SSL profile client cert option set to require or request? What type of test did you try when you encountered the issue?

Can you try this version of the client cert header insert rule. I think it covers more cases than the original version:

 
  client_cert_header_insert_rule 
  
 when CLIENTSSL_CLIENTCERT { 
  
     Check if client presented at least one cert 
    if {[SSL::cert count] > 0}{ 
  
        Insert the following fields in the session table with a timeout of 7200 seconds: 
          Do the processing now as opposed to in HTTP_REQUEST as there  
          can be many HTTP requests using the same SSL session ID 
        
          Index - item 
          0 - base64 encoding of the client SSL cert  
          1 - serial number of the cert 
          2 - the verification status text for the client cert against the client SSL profile's root CA cert 
       session add ssl [SSL::sessionid] [list \ 
          [SSL::verify_result] \ 
          [b64encode [SSL::cert 0]] \ 
          [X509::serial_number [SSL::cert 0]] \ 
       ] 7200 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Added session data for cert. Status:\ 
          [X509::verify_cert_error_string [lindex [session lookup ssl [SSL::sessionid]] 0]] with key [SSL::sessionid]" 
    } 
 } 
  
 when HTTP_REQUEST { 
  
     Check if SSL session ID is in the cache (SSL::sessionid returns 64 zeroes if it's not) 
    if {[SSL::sessionid] ne "0000000000000000000000000000000000000000000000000000000000000000"}{ 
  
        Get the session table entry (a TCL list) for this session ID 
       set session_data [session lookup ssl [SSL::sessionid]] 
  
        Check if the first element of the session table entry for this session ID is 0 (status for successful cert validation) 
       if {[lindex $session_data 0] == 0}{ 
  
          log local0. "[IP::client_addr]:[TCP::client_port]: Valid cert per session table entry. Inserting cert details in HTTP headers." 
  
           Insert cert details in the HTTP headers 
          HTTP::header insert SSLClientCertStatus "ok" 
          HTTP::header insert SSLClientCertb64 [lindex $session_data 1] 
          HTTP::header insert SSLClientCertSN [lindex $session_data 2] 
  
           Exit this event in this rule 
          return 
       } 
    } 
     If we're still in this rule, cert wasn't valid 
       so send HTTP 302 redirect to an error page 
    HTTP::respond "http://[HTTP::host]/cert_error.html" 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: No or invalid cert from client." 
 } 
 

Aaron

Hi Bhattman

 

 

if i use this iRule (http://devcentral.f5.com/Wiki/default.aspx/iRules/InsertCertInServerHeaders.html) i can bypass bigip with IE

 

 

i added this string ( } elseif { $ssl_errstr2 eq "" } { ) into the iRule it works properly it can not bypass bigip with IE

 

 

 

regarding firefox without this string it works this is differences between IE and Firefox

 

 

 

 

regards

 

zafer

 

Hi Aaron

 

 

i will test your iRule and i will inform you asap

 

 

i have question about IE; When i request to the bigip withput Client Certificate, i see empty Certification request screen from IE but then click ok button.

 

 

What is differences between IE and Firefox at this point

 

 

Regarding multiple Client certificate request from Firefox, can i solve with this iRule.

 

 

 

regards

 

Zafer

Hi Zafer,

 

 

Can you try testing the above iRule I posted with IE and Firefox and reply with the results? If there are any issues, can you post the anonymized logs from /var/log/ltm and a description of the symptoms?

 

 

Thanks,

 

Aaron

What versions is the above iRule supported under?

Hi Scot,

 

 

That example I posted above (Click here) should work for 9.4.x. But it doesn't do any enforcement based on the validation of the client cert against the trusted ca cert. Nor does it check the cert against an OCSP server. If you check your other post, I replied with a link to a Codeshare example I added that does validation of the client cert against the ca cert and one or more OCSP servers.

 

 

Aaron