ltm rule command X509 cert fields
iRule(1) BIG-IP TMSH Manual iRule(1)
X509::cert_fields
Returns a list of X509 certificate fields to be added to HTTP headers
for ModSSL behavior.
SYNOPSIS
X509::cert_fields CERTIFICATE ERROR_CODE ((hash
issuer
serial
sigalg
subject
subpubkey
validity
versionnum
whole)#)?
DESCRIPTION
When given a valid certificate, returns a TCL list of field names and
values which can be added to the HTTP headers in order to emulate
ModSSL behavior. The output can be passed to 'HTTP::header insert
$list' as a list for insertion in the HTTP request or response.
Syntax
X509::cert_fields []
* Returns a list of fields to be added to the HTTP headers in order
to emulate ModSSL behavior. The return type is a Tcl list that the
system then interprets as a header-name/header-value pair.
Optional can be a list of one or more of the following fields:
* hash | issuer | serial | sigalg | subject | subpubkey | validity |
versionnum | whole
RETURN VALUE
Returns a list of X509 certificate fields to be added to HTTP headers.
VALID DURING
ANY_EVENT
EXAMPLES
when RULE_INIT {
# Session timeout. Length of time (in seconds) to store the client cert in the session table.
set ::session_timeout 3600
# SSL::sessionid returns 64 0's if the session ID doesn't exist, so set a tocheck for this
set ::null_sessionid [string repeat 0 64]
}
when CLIENTSSL_CLIENTCERT {
#################################################
# Need to first check if there is a cert and that it's valid
# ...
#################################################
# Save the first cert in the client request
set cert [SSL::cert 0]
# Save the cert fields to a list
set fields [X509::cert_fields $cert [SSL::verify_result] hash issuer serial sigalg subject subpubkey validity versionnum whole]
log local0. "Client certificate fields - $fields"
# Add the cert to the session table for use in subsequent HTTP requests. Use the SSL session ID as the key.
session add ssl [SSL::sessionid] [list $cert $fields] $::session_timeout
}
when HTTP_REQUEST {
# Check if there is an existing SSL session ID and if the cert is in the session table
if {[SSL::sessionid] ne $::null_sessionid && [session lookup ssl [SSL::sessionid]] ne ""}{
# Insert SSL cert details in the HTTP headers
HTTP::header insert [lindex [session lookup ssl [SSL::sessionid]] 1]
} else {
# Send a response back to the client indicating they didn't present a valid cert.
HTTP::respond 200 content [subst {Invalid request with SSL session ID [SSL::sessionid]}]
}
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] > 0 } {
session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] $timeout
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)