Forum Discussion

Nimbostratus

Dec 19, 2008

SSL ClientCert validation

I have an iRule that I am attempting to write that will validate a client SSL certificate. If an error is found, log it and deliver a custom http::respond. I can get the http::respond to work all by ...

Cirrostratus

Dec 19, 2008

Hi,

You're using a global variable to track whether the cert is valid or not. The global variable could be modified from every TCP connection of every client.

You might be better off adding the SSL session ID to the session table in CLIENTSSL_CLIENTCERT with a flag on whether it was valid or not. Then in HTTP_REQUEST you could look up the session table entry using the SSL session ID and send a response if it's a bad session ID. You can use a Codeshare example as a template for this:

Insert Cert In Server Headers (Click here)

Also, you don't need to use subst when sending the HTTP response. It's only used if you're trying to force a escaped characters to be interpreted within the response content.

Lastly, you shouldn't unset the ::response variable as you'll need to reference it every time you find an invalid SSL session ID.

Aaron

Forum Discussion

SSL ClientCert validation

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

POC: Validate JWT with iRule

Implementing SSL Orchestrator - Validation & Troubleshooting

iRule to accept client then SSL cert validation

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL Profiles