Catch specific SSL errors/failures???

Hi there

One of the requirements that I've been given is to try and catch certain SSL errors and return a more friendly error page, rather than the browser default...

A couple of the examples that have come up so far are:

* A User attempting to connect to a VIP that is enforcing client SSL certficiates but doesn't have a valid Client SSL certificate installed...

* A user attempting to connect to a VIP with an expired Client SSL certificate

* A user connecting with a very old SSL Version or Cipher...

Now the last one is nice and easy as there's plenty of reference code on the Wiki...

However I'm struggling with 1 & 2 above...

Any pointers or ideas???

Cheers

Gav

GavinW_29074
Nimbostratus
Jan 18, 2012
Damm... I've just spotted a gap in my rule...

We've also got certain sites that use SSL, but don't have a client certificate requirement... I've currently made no provision for this...

Is there a way of getting the 'peer-cert-mode' configured against the VIP SSL Profile???

Can then put a simple exception in for VIP's that have a 'peer-cert-mode' set to 'none' or where 'peer-cert-mode' isn't defined...

Cheers

Gavin
hooleylist
Cirrostratus
Jan 18, 2012
To request a client cert for specific URIs, you could:

set the client SSL cert mode to ignore

put the URIs you do or don't want to request a client cert for in a data group

in HTTP_REQUEST, check if the URI requires a client cert, set a variable to track that you've requested a client cert and then do:

Force renegotiation of the SSL connection with a cert requested set need_cert 1 SSL::session invalidate SSL::authenticate always SSL::authenticate depth 9 SSL::cert mode request SSL::renegotiate

On the subsequent CLIENTSSL_CLIENTCERT event, check if the client presented a valid cert. If so, allow the request. If not, send a response and block the request.

I'm not sure if it helps or over complicates things, but I tested a related iRule for selective client cert requesting. But it includes OCSP validation and was done pre-10.1.0 when the SSL::cert was cached for us for the duration of the SSL session. Anyhow, here it is:

http://devcentral.f5.com/wiki/iRules.client_cert_request_by_uri_with_ocsp_checking.ashx

If all of this looks too complicated, you could try separating the content which requires a client cert to another virtual server and then use the iRule you've already written.

Aaron
GavinW_29074
Nimbostratus
Jan 18, 2012
Aaron

Thanks for the pointers... However it does appear to over complicate things...

However it did give me an idea for a solution... As we only need to change the ssl mode on a per vip basis, then we only need apply this rule to vips that need client cert verification... :-)

Cheers again

Gav

Forum Discussion

Catch specific SSL errors/failures???

Recent Discussions

Help with an I-rule rewrite

When adding new GTM(DNS) to the existing group, if software version is not same, what will happen?

Keep encoding when request is handled by irule

Application drop down menus does not work behind F5 APM Portal Access

irule does not work in browsers other than google

Related Content

Intermediate iRules: catch

SSL Forward Proxy – Certificate Error Graceful Failure

Disabling Specific Weak Cipher Suites

Deny access to F5 management from specific addresses

find specific SNMP OID