When Avi sends a certificate in RAW format in a HTTP header the backend server returns error HTTP 400 "Header Folding"
search cancel

When Avi sends a certificate in RAW format in a HTTP header the backend server returns error HTTP 400 "Header Folding"

book

Article ID: 391555

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

In client SSL certificate validation, you have the option to send an http header with the client certificate in RAW/PEM format. 

Example Configuration:

The client certificate can also be sent via the data script function: avi.ssl.client_cert(avi.CLIENT_CERT).

SSL Functions

However, some applications may fail with an HTTP 400 "Header Folding" when using these method(s).

 

Environment

Affects all product versions.

Cause

The Avi Service Engine will send the certificate in the header in header folding format (multiple lines) per RCF2616.  This method of sending the certificate is available on Avi for legacy use-cases.

RFC2616

Example:

Resolution

If the backend application server does not allow the certificate sent as multiple lines in the HTTP header, you may use the SSL Client Certificate Escaped format.  This will base64 encode the certificate as a single line in the HTTP header.

HTTP Application Profile Example:

Data Script Example:

escaped_cert = avi.ssl.client_cert(avi.CLIENT_CERT_ESCAPED)
 avi.vs.log(escaped_cert)
 avi.http.add_header("escaped_client_cert",escaped_cert)

Referece Documentation:

HTTP/Datascript

 

If the backend servers are not able to use the certificate escaped format, then you may used the following data script to format the certificate into a single line.  This script removes new lines (\n) from the PEM formatted certificate so it's sent as a single line.

**NOTE**: The backend application will need to be able to parse the certificate without the new line "\n" carrier.

if avi.ssl.client_cert(avi.CLIENT_CERT) then
client_cert = avi.ssl.client_cert(avi.CLIENT_CERT)
cert_data = string.gsub(client_cert, "\n\t", "\t")
avi.http.add_header("SSL_CLIENT_CERT",cert_data)
end

Steps:

  1. Navigate to Templates > Scripts > DataScripts and click on "Create"
  2. Enter a name for the script then under "HTTP Events" click on "ADD" select "HTTP Request". Copy/Paste the script and save
  3. Navigate to the virtual service and edit (pencil) go to the policies tab and select datascripts and click on "Add Datascript".  Select the datascript object you created and save.
Powered by Wolken Software