Forum Discussion

Oliver_Schmidt's avatar
Oliver_Schmidt
Icon for Nimbostratus rankNimbostratus
Aug 04, 2006

SSL client cert rule only works with 9.1, not 9.2

attached Rule from Rick Masters works fine with LTM 9.1.2 but doesn't work with 9.2.3.

 

Any ideas?

 

 

Tuesday, December 07, 2004

 

Requiring an SSL Certificate for Parts of an Application

 

By Rick Masters

 

http://devcentral.f5.com/Default.aspx?tabid=29&mid=356&ctl=ArticleView&articleId=39

 

 

when CLIENT_ACCEPTED {

 

set needcert 0

 

set gotcert 0

 

}

 

 

When a client does an SSL handshake, this rule event is triggered. This is the time to validate that a certificate has been received. If a certificate has not been received, but we were expecting one ($needcert == 1), then the connection is rejected. If the certificate has been received, we note that for future reference (set gotcert 1) and we release the current request (HTTP::release) if we were waiting for a certificate before releasing the request.

 

 

when CLIENTSSL_HANDSHAKE {

 

log LOCAL0.warn "cert count=[SSL::cert count] result=[SSL::verify_result]"

 

if { [SSL::cert count] == 0 or [SSL::verify_result] != 0 } {

 

log LOCAL0.warn "Bad cert!"

 

if { $needcert == 1 } {

 

reject

 

}

 

}

 

else {

 

log LOCAL0.warn "Good cert! ($needcert)"

 

set gotcert 1

 

if { $needcert == 1 } {

 

HTTP::release

 

}

 

}

 

}

 

 

Here we process an HTTP request. If the request is for a directory that has been designated for extra security, then several things happen. We freeze the HTTP request until the client certificate is received, we tell SSL to require a certificate, we tell SSL to renegotiate now, and then we set a flag that indicates we need a certificate.

 

 

when HTTP_REQUEST {

 

if { $gotcert == 0 and [HTTP::uri] starts_with "/needcert" } {

 

log LOCAL0.warn "Requiring certificate..."

 

HTTP::collect

 

SSL::cert mode require

 

SSL::renegotiate

 

set needcert 1

 

}

 

else {

 

log LOCAL0.warn "No cert needed."

 

}

 

}

 

2 Replies

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    We've recently discovered that many of the SSL::cert functions that worked in 9.1.x are broken in 9.2.x. I'm not aware of any workaround besides reverting to the maintenance branch (9.1.x).

     

     

    Please open a Support case with the specifics you encountered. They will create or link to CR for your issue, and let you know when it gets fixed.

     

     

    /deb
  • Nathan_Pearce_4's avatar
    Nathan_Pearce_4
    Historic F5 Account
    Two CR's have been created around this issue - CR58837 and CR68339.

     

     

    Please contact F5 Support for instructions on obtaining and installing the Hotfix.

     

     

    br,

     

    n