Forum Discussion
Muhammad_Irfan1
Cirrus
CirrusClient authentication is set to require but not getting any log from this iRule
when CLIENTSSL_CLIENTCERT {
Debug flag
set debug 1
Check if client presented a cert after it was requested/required
if {[SSL::cert count] > 0}{
Client presented at least one cert. The actual client cert should always be first.
if {$debug > 1}{
Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
[X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
}
}
} else {
if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
}
3 Replies
Michael_JenkinsCirrostratus
What I see is that you are checking $debug for greater than 1 (if {$debug > 1}) and then in your else statement, you're checking for $debug to be greater than 1 again, so since your $debug is set to 1, it'll never log anything.
I'd say either set the debug variable to 2 or greater, or else change the code to check >= instead of just >.
- Michael_Jenkins
To accomplish what you're asking, I reworked the iRule a little bit to clean up the code a little bit. Only thing you may have to change is the [SSL::cert 0] to [SSL::cert 1] if you get an error, as I'm not sure if its a 0 or 1 based array. See if that helps.
when CLIENTSSL_CLIENTCERT { Debug flag set debug 1 if {$debug >= 1} { Check if client presented a cert after it was requested/required if {[SSL::cert count] > 0} { Loop through each cert and log the cert subject, issuer and serial number log local0. "[IP::client_addr]:[TCP::client_port]: subject=[X509::subject [SSL::cert 0]]" } else { log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!" } } } - nitass
Employee
I will be greatful if you can somehow add server connected entry as well in the above iRule the rest is perfect.
e.g.
configuration [root@ve11a:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when RULE_INIT { set static::debug 1 } when CLIENTSSL_CLIENTCERT { if { $static::debug } { if { [SSL::cert count] > 0 } { set sbj "[X509::subject [SSL::cert 0]]" } else { set sbj "No client cert found!" } } } when SERVER_CONNECTED { if { $static::debug } { log local0. "client=[IP::client_addr]:[TCP::client_port] server=[IP::server_addr]:[TCP::server_port] cert=$sbj" } } } /var/log/ltm [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Dec 13 15:55:26 ve11a info tmm[14890]: Rule /Common/qux : client=172.28.24.1:56501 server=200.200.200.101:80 cert=No client cert found! Dec 13 15:55:27 ve11a info tmm1[14890]: Rule /Common/qux : client=172.28.24.1:56502 server=200.200.200.101:80 cert=CN=client.acme.com,OU=IT,O=Acme,ST=WA,C=US
