Forum Discussion

Cirrus

Dec 11, 2014

Client authentication is set to require but not getting any log from this iRule

when CLIENTSSL_CLIENTCERT { Debug flag set debug 1 Check if client presented a cert after it was requested/required if {[SSL::cert count] > 0}{ Client presented at least one cert. ...

devops

nitass

Employee

Dec 13, 2014

I will be greatful if you can somehow add server connected entry as well in the above iRule the rest is perfect.

e.g.

 configuration

[root@ve11a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
    when RULE_INIT {
  set static::debug 1
}
when CLIENTSSL_CLIENTCERT {
  if { $static::debug } {
    if { [SSL::cert count] > 0 } {
      set sbj "[X509::subject [SSL::cert 0]]"
    } else {
      set sbj "No client cert found!"
    }
  }
}
when SERVER_CONNECTED {
  if { $static::debug } {
    log local0. "client=[IP::client_addr]:[TCP::client_port] server=[IP::server_addr]:[TCP::server_port] cert=$sbj"
  }
}
}

 /var/log/ltm

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Dec 13 15:55:26 ve11a info tmm[14890]: Rule /Common/qux : client=172.28.24.1:56501 server=200.200.200.101:80 cert=No client cert found!
Dec 13 15:55:27 ve11a info tmm1[14890]: Rule /Common/qux : client=172.28.24.1:56502 server=200.200.200.101:80 cert=CN=client.acme.com,OU=IT,O=Acme,ST=WA,C=US

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)