Forum Discussion
Rob_Wismans_179
Nimbostratus
NimbostratusBypass Client Certificate authentication
Hello,
I have an existing working irule that handles client authentication.
The Client SSL Profile is set to request a client certificate.
My question: How to bypass this existing client certificate handling when no certificate is presented
I have tried to insert some logic in the else statement in CLIENTSSL_CLIENTCERT, but that does not work.
Rob_Wismans_179when RULE_INIT { "0" to disable logging, "1" to enable reject logging and "2" to enable debug logging set static::debug 2 }- Rob_Wismans_179
when CLIENT_ACCEPTED { if { $static::debug == 2 } { log local0. "CIP: Client connected from [IP::client_addr]:[TCP::client_port]" } } when CLIENTSSL_CLIENTCERT { if { $static::debug == 2 } { Check if client presented a cert after it was requested/required if { [SSL::cert count] > 0 } { Loop through each cert and log the cert subject, issuer and serial number for { set i 0 } { $i < [SSL::cert count] } { incr i } { log local0. "CIP: [IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\ [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];" } } else { log local0. "CIP: [IP::client_addr]:[TCP::client_port]: No client cert found!" } } } - Rob_Wismans_179
when CLIENTSSL_HANDSHAKE { if { $static::debug == 2 } { log local0. "CIP: Handshake event triggered" } set cert_subject [X509::subject [SSL::cert 0]] if { $static::debug == 2 } { log local0. "CIP: Start processing certificate $cert_subject" } By default reject the certificate set reject 1 set auth "" Lookup the subject in the datagrouplist and return as a list with name and value paired set matches [class match -element -all $cert_subject contains /CIP/CIP-Client_Cert-Test02] if { $static::debug == 2 } { log local0. "CIP: Found [llength $matches] matches in datagroup, Value Of: $matches" } Check for valid result from lookup if { [llength $matches] != 0 } { set auth [lindex $matches 1] if { $static::debug == 2 } { log local0. "CIP: Matching client certificate (DN: $cert_subject, SN: [X509::serial_number [SSL::cert 0]], Auth: $auth)" } set reject 0 } } - Rob_Wismans_179
when HTTP_REQUEST { if { $reject } { if { $static::debug == 2 } { log local0. "CIP: Client certificate rejected (DN: $cert_subject)" } HTTP::respond 200 content { Denied Your client is denied access. } TCP::close reject } if {$auth ne ""} { if { $static::debug == 2 } { log local0. "CIP: Adding Authorization: Basic $auth" } HTTP::header remove "Authorization" HTTP::header insert "Authorization" "Basic $auth" } } 
Leonardo_SouzaCirrocumulus
Can you clarify the behaviour you get?
You said the message you put in the "else" did not have output, but did the "if" was executed? Was the event CLIENTSSL_CLIENTCERT triggered?