Forum Discussion

Mr_Moody's avatar
Mr_Moody
Icon for Nimbostratus rankNimbostratus
Oct 16, 2020

custom error page for missing client authentication certificate

I have a working IRule below that requests a client certificate based on uri and data group list. In the event the client does not provide a valid cert I would like to redirect the user to custom html error page (hosted on another site) with further instructions. Any help would be appreciated.

 

when HTTP_REQUEST {

  if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

   if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

    SSL::session invalidate

    SSL::authenticate always

    SSL::authenticate depth 9

    SSL::cert mode require

    set cmd "SSL::profile /Common/require_clientssl"

    eval $cmd

    SSL::renegotiate

    event disable all

  }

}

}

iRules
LTM
security

3 Replies

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 18, 2020

    Hi

    I did not test it, but something like this should help :

    when CLIENT_ACCEPTED {
        set clientCertPresent 0
}
 
 
when CLIENTSSL_CLIENTCERT {
        set subject_dn [X509::subject [SSL::cert 0]]
        if { $subject_dn != "" }{
                set clientCertPresent 1
        }
}
 
 
when HTTP_REQUEST {
 
  if { [HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {
 
   if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST] && $clientCertPresent equals "0" } {
 
    SSL::session invalidate
 
    SSL::authenticate always
 
    SSL::authenticate depth 9
 
    SSL::cert mode require
 
    set cmd "SSL::profile /Common/require_clientssl"
 
    eval $cmd
 
    SSL::renegotiate
 
    event disable all
 
  } else {
  
    HTTP::redirect "https://my.error.page.com/error.htm"
    }
  }
 
}
 
}

    hope this helps.

    Yoann

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP
      Oct 19, 2020

      Also if Op like to capture CN alone, he can go with first checking if there was any cert provided at all, [SSL::cert count] > 0. based on that trigger the if block, if it passes, then capture the CN or entire subject accordingly. If planning to capture CN, here,

      [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]

      And if you want to throw a custom page, just go with this,

      HTTP::respond 403 content "<html>The requested URI - [HTTP::host][HTTP::uri] is restricted, your provided client certificate (CN=[findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]) is not allowed to access. Contact admin</html>"
    • Mr_Moody's avatar
      Mr_Moody
      Icon for Nimbostratus rankNimbostratus
      Oct 19, 2020

      Thank you for the reply. Unfortunately I was not able to make this rule work for me. Perhaps I can elaborate on my goals. We can ignore the URI condition as it's not the most important part.

       

      First: if IP is on NO_CERT_IP_LIST then allow access without client certs (using ignore_cs_ssl_profie?)

       

      Second: All other IP's will require client certs (require_cs_ssl_profile?). if there are any ssl errors at this stage then the client should be redirected to an html error page. This would include wrong cert or no cert errors.

       

      Thank you!

       

      In the VS I have an ssl profile assigned and set to ignore client certs as the default. The IRule I have working now selects a different ssl profile that requires client certs based on the condition of the data group and URI. This works as intended except I am not able to redirect to custom error page.