Hi,
You're using a global variable to track whether the cert is valid or not. The global variable could be modified from every TCP connection of every client.
You might be better off adding the SSL session ID to the session table in CLIENTSSL_CLIENTCERT with a flag on whether it was valid or not. Then in HTTP_REQUEST you could look up the session table entry using the SSL session ID and send a response if it's a bad session ID. You can use a Codeshare example as a template for this:
Insert Cert In Server Headers (
Click here)
Also, you don't need to use subst when sending the HTTP response. It's only used if you're trying to force a escaped characters to be interpreted within the response content.
Lastly, you shouldn't unset the ::response variable as you'll need to reference it every time you find an invalid SSL session ID.
Aaron