Nimbostratus
Nimbostratus
You are correct. By default the F5 just does a Revocation Status check (this check is a list of revoked SSL Certificates contained within a file on the local BigIP. I am sure that you could write a script to update this file, but that would be on the local system and possibly a cron job).
By default you can set your Client SSL Profile to ignore, require, request, or automatically handle Client SSL Certificates and even control which CA's you will accept SSL Certificates from, but any additional functionality beyond that must be done in an iRule as you suspected.
This is a simple example that compares the SSL Certificate Serial Number with a Data Group List to determine if the requesting client should be allowed access. You could use an alternate method if you like.
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] == 0 } {
log local0. "No Certificate Provided"
drop
}
else {
log local0. "Certificate 1: [X509::serial_number [SSL::cert 0]]"
log local0. "Certificate 2: [X509::serial_number [SSL::cert 1]]"
log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
}
else {
log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
reject
}
}
}
As I said though, this is a SIMPLE example. You will need to loop through all SSL Certificates (this iRule does not do that because it was just a proof of concept) presented by the client and check all and based on what you find (whatever criteria you want to compare against) set a flag that you could use in the HTTP_REQUEST Event to route the traffic to the destination (or throw a 403 status, etc.).
Hope this helps.