soymanue
Apr 05, 2011Nimbostratus
Certificate Authentication issue with Firefox 4
Hi
We have a SSL site. Once you have connected, you must get authenticated to access a a part of the site. You can be authenticated with user and password, but you can also choose to be authenticated with a certificate.
To do that whe have this iRule (based on an example found in devcentral):
Initialize the variables on new client tcp session.
when CLIENT_ACCEPTED {
set collecting 0
set renegtried 0
}
Runs for each new http request
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri] ]
if { $renegtried == 0
and [SSL::cert count] == 0
and ([HTTP::uri] matches_regex {^/certauth.jsp$}) } {
HTTP::collect
set collecting 1
SSL::cert mode request
SSL::renegotiate
}
}
After a handshake, we log that we have tried it. This is to prevent
constant attempts to renegotiate the SSL session. I'm not sure of this
feature; this may in fact be a mistake, but we can change it at any time.
It is transparent if we do: the connections only work slower. It would,
however, make BigIP detect inserted smartcards immediately. Right answer
depends on the way the feature is used by applications.
when CLIENTSSL_HANDSHAKE {
if { $collecting == 1 } {
set renegtried 1
Release allows the request processing to occur normally from this
point forwards. The next event to fire is HTTP_REQUEST_SEND.
HTTP::release
}
}
Inject headers based on earlier renegotiations, if any.
when HTTP_REQUEST_SEND {
if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{
clientside {
HTTP::header remove "WL-Proxy-Client-Cert"
if certificate is available, send it. Otherwise, send a header
indicating a failure, if we have already attempted a renegotiate.
catch {SSL::cert count } numbercerts
if { $numbercerts > 0 } {
set client_cert [SSL::cert 0]
HTTP::header insert "WL-Proxy-Client-Cert " [X509::whole [SSL::cert 0]]
HTTP::header insert "WL-Proxy-Client-Cert " [ join [string trim [string map { "-----BEGIN CERTIFICATE-----" "" "-----END CERTIFICATE-----" ""} [X509::whole [SSL::cert 0]] ] ] "" ]
log local0. "\[HTTP::header value WL-Proxy-Client-Cert\]: [HTTP::header value WL-Proxy-Client-Cert]"
foreach aHeader [HTTP::header names] {
log local0. "[IP::client_addr]:[TCP::client_port]: $aHeader \
([string length [HTTP::header value $aHeader]]): [HTTP::header value $aHeader]"
}
} elseif { $renegtried == 1 } {
This header has some debug value: if the FAILED header is not
present, BigIP is probably not configured to do client certs
at all.
HTTP::header insert "WL-Proxy-Client-Cert_FAILED" "true"
}
}
} else {
log local0. "\$result: $result. Redirecting unencrypted request."
}
}
After the upgrade to 10.2 the cert authentication stopped working until we enabled ssl renegotiation.Now we are suffering the same problem with Firefox 4: the certificate authentication doesn't work until we enable SSL Renegotation in the browser settings (https://support.mozilla.com/es/ques...wer-158847).
Is there any workaround? Is there any way to keep the certificate authentication without enabling SSL Renegotiation?
Thank you in advance