Oliver_Schmidt
Aug 04, 2006Nimbostratus
SSL client cert rule only works with 9.1, not 9.2
attached Rule from Rick Masters works fine with LTM 9.1.2 but doesn't work with 9.2.3.
Any ideas?
Tuesday, December 07, 2004
Requiring an SSL Certificate for Parts of an Application
By Rick Masters
http://devcentral.f5.com/Default.aspx?tabid=29&mid=356&ctl=ArticleView&articleId=39
when CLIENT_ACCEPTED {
set needcert 0
set gotcert 0
}
When a client does an SSL handshake, this rule event is triggered. This is the time to validate that a certificate has been received. If a certificate has not been received, but we were expecting one ($needcert == 1), then the connection is rejected. If the certificate has been received, we note that for future reference (set gotcert 1) and we release the current request (HTTP::release) if we were waiting for a certificate before releasing the request.
when CLIENTSSL_HANDSHAKE {
log LOCAL0.warn "cert count=[SSL::cert count] result=[SSL::verify_result]"
if { [SSL::cert count] == 0 or [SSL::verify_result] != 0 } {
log LOCAL0.warn "Bad cert!"
if { $needcert == 1 } {
reject
}
}
else {
log LOCAL0.warn "Good cert! ($needcert)"
set gotcert 1
if { $needcert == 1 } {
HTTP::release
}
}
}
Here we process an HTTP request. If the request is for a directory that has been designated for extra security, then several things happen. We freeze the HTTP request until the client certificate is received, we tell SSL to require a certificate, we tell SSL to renegotiate now, and then we set a flag that indicates we need a certificate.
when HTTP_REQUEST {
if { $gotcert == 0 and [HTTP::uri] starts_with "/needcert" } {
log LOCAL0.warn "Requiring certificate..."
HTTP::collect
SSL::cert mode require
SSL::renegotiate
set needcert 1
}
else {
log LOCAL0.warn "No cert needed."
}
}