Forum Discussion
Scot_86001
Feb 22, 2010Nimbostratus
Aaron,
Thank you.
I have taken my orginal iRule I posted and think I have added in session gathering/persistence correctly. Currently, I am working w/ F5 to get my OCSP responders to work. Once that happens, i will move on to checking those results. I hope what I have done closes some of my previous mistakes/holes.
when CLIENTSSL_CLIENTCERT {
set time to maintain session data (in seconds)
set session_timeout 1800
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_subject [X509::subject [SSL::cert 0]]
set ssl_issuer [X509::issuer [SSL::cert 0]]
set ssl_stuff [list $ssl_cert $ssl_errstr $ssl_subject $ssl_issuer]
session add ssl [SSL::sessionid] $ssl_stuff $session_timeout
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
set v1 [URI::query [HTTP::uri] "p"]
if { ($v1 contains "ESAT") || ($v1 contains "311") } then {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
set ssl_subject2 [lindex $ssl_stuff2 2]
set ssl_issuer2 [lindex $ssl_stuff2 3]
if { $ssl_errstr2 eq "ok" } {
HTTP::header insert SSLClientCertStatus $ssl_errstr2
HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
HTTP::header insert "SSL_CLIENT_S_DN" $ssl_subject2
HTTP::header insert "SSL_CLIENT_I_DN" $ssl_issuer2
} else {
send HTTP 302 redirect to an error page
HTTP::redirect "http://images.mhf.dod.mil/error.html"
}
}
}
}