Scot_86001
Feb 21, 2010Nimbostratus
iRule Optimization w/ Certificates?
The iRule below functions and performs as it should. I have been told that what I have below may not be efficient or optimized. I am looking to see if anyone can make some suggestions on how to better optimize. I would also like to know if session persistence and timeout are being maintained as they should. This iRule performs client side cert authentication only when a certain URI is sent. Upon successfull login, header information from the cert is passed to the receiving application. The code below was pieced together from other iRules on DevCentral.
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
HTTP::release
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
set v1 [URI::query [HTTP::uri] "p"]
if { ($v1 contains "ESAT") || ($v1 contains "311") } then {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode request
SSL::renegotiate
}
}
}
when HTTP_REQUEST_SEND {
clientside {
if { [SSL::cert count] > 0 } {
HTTP::header insert "X-SSL-Session-ID"[SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status"[X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "SSL_CLIENT_S_DN"[X509::subject [SSL::cert 0]]
HTTP::header insert "SSL_CLIENT_I_DN"[X509::issuer [SSL::cert 0]]
}
}
}