Forum Discussion

James_D__376338's avatar
James_D__376338
Icon for Nimbostratus rankNimbostratus
Apr 11, 2019

Using iRule to prompt for Client SSL Cert

Currently we have it configured where the Client SSL profile Requests once for a cert, which prompts the user to authenticate with their piv. This is causing issues with a few edge cases. What I would like to do is move the request into an iRule when the user hits a specific URI query such as below:

when HTTP_REQUEST {

    if { ([URI::query [HTTP::uri]] contains "authenticator=PIVAuthenticator") }{
    }

Any ideas on how to proceed would be greatly appreciated.

  • when CLIENTSSL_CLIENTCERT {
        HTTP::release
        if { [SSL::cert count] < 1 } {
            reject
        }
    }
    
    when HTTP_REQUEST {
        if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{
            if { [SSL::cert count] < 1}{
                HTTP::collect
                SSL::authenticate always
                SSL::authenticate depth 9
                SSL::cert mode require
                SSL::renegotiate
            }
    
        }
    }
    when HTTP_REQUEST_SEND {
      clientside {
          if { [SSL::cert count] > 0 } {
    
            HTTP::header insert "SSLClientCertStatus"               [X509::verify_cert_error_string [SSL::verify_result]]
            HTTP::header insert "SSLClientCertSerialNumber"         [X509::serial_number [SSL::cert 0]]
            HTTP::header insert "SSLClientCertSubject"              [X509::subject [SSL::cert 0]]
            HTTP::header insert "SSLClientCert"                     [X509::whole [SSL::cert 0]]
    
          }
      }
    }
    
  • when CLIENTSSL_CLIENTCERT {
        HTTP::release
        if { [SSL::cert count] < 1 } {
            reject
        }
    }
    
    when HTTP_REQUEST {
        if { ([URI::query [HTTP::uri]] contains "auth=x509") || ([URI::query [HTTP::uri]] contains "auth=auth2") }{
            if { [SSL::cert count] < 1}{
                HTTP::collect
                SSL::authenticate always
                SSL::authenticate depth 9
                SSL::cert mode require
                SSL::renegotiate
            }
    
        }
    }
    when HTTP_REQUEST_SEND {
      clientside {
          if { [SSL::cert count] > 0 } {
    
            HTTP::header insert "SSLClientCertStatus"               [X509::verify_cert_error_string [SSL::verify_result]]
            HTTP::header insert "SSLClientCertSerialNumber"         [X509::serial_number [SSL::cert 0]]
            HTTP::header insert "SSLClientCertSubject"              [X509::subject [SSL::cert 0]]
            HTTP::header insert "SSLClientCert"                     [X509::whole [SSL::cert 0]]
    
          }
      }
    }