Forum Discussion

yeser's avatar
yeser
Icon for Nimbostratus rankNimbostratus
Feb 14, 2008

iRule to ask for client cert

Hi, i developed an iRule to ask for a certificate and insert it in a http header. All work properly but BIG IP asks for client certificate all time, on each click and each part of the same page. Default behaviour is authenticate ONCE (not always), but i specified it in the iRule. Any idea of the problem? help!

 

 

The iRule is:

 

 

 

when HTTP_REQUEST {

 

if { (not [info exists EncCert]) and ([HTTP::uri] starts_with "/XXXXXX") } {

 

HTTP::collect

 

SSL::authenticate once

 

SSL::authenticate depth 3

 

SSL::cert mode request

 

SSL::renegotiate

 

}

 

}

 

 

when CLIENTSSL_HANDSHAKE {

 

HTTP::release

 

}

 

 

when HTTP_REQUEST_SEND {

 

clientside {

 

if { ([SSL::cert count] > 0) and (not [info exists InsCert])} {

 

HTTP::header insert "auth-cert" [X509::whole SSL::cert 0]]

 

set InsCert "OK"

 

}

 

}

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

set EncCert "OK"

 

}
application delivery
dev
devops
iRules

1 Reply

Sort By
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Feb 18, 2008
    Hi,

     

     

    the thing is variable will exist only or this connection (except if you were using global variables which is not the case here). Your variable enccert exist only for this connection. Since your browser will open many connection you'll need to authenticate for each. If your client use HTTP1.0 it will be authentication for each object

     

     

    HTTP::collect is useless here. It may be used if you need to look at the payload manually, through the HTTP::command you don't need such manipulation

     

     

    I can't test this one right one but it should work properly.

     

     

    when HTTP_REQUEST {

     

    if { ([SSL::cert count] == 0) and ([HTTP::uri] starts_with "/XXXXXX") } {

     

    SSL::authenticate once

     

    SSL::authenticate depth 3

     

    SSL::cert mode request

     

    SSL::renegotiate

     

    }

     

    else {

     

    HTTP::header insert "auth-cert" [X509::whole SSL::cert 0]]

     

    }

     

    }

     

     

    when CLIENTSSL_HANDSHAKE {

     

    HTTP::release

     

    }

     

     

    Try to make a search on this forum for keyword like SSL::authenticate you will have some working example.

     

     

    HTH

     

     

    N.