Forum Discussion
Bob_Vance_75936
Altostratus
AltostratusClient cert auth and irule formatting
Hello,
I am new to irules and I'm having trouble entering in this irule via the bigpipe shell. It's the only access I currently have at the moment. Am I formatting the irule incorrectly or using incorrect punctuation?
Here is the irule I am trying to use:
rule Client_Cert_Auth {
when CLIENTSSL_CLIENTCERT {
set CN "www.foo.com"
set OU "OU"
set O "Organization"
set L "Locale"
set S "State"
set C "Country"
set I "Issuer"
set issuer_dn [X509::issuer [SSL::cert 0]]
set subject_dn [X509::subject [SSL::cert 0]]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
log "Client Certificate Received: $subject_dn"
if {($ssl_errstr eq "ok") and ($subject_dn matches $CN) and ($subject_dn matches $OU) and ($subject_dn matches $O) and ($subject_dn matches $L) and ($subject_dn matches $S) and ($subject_dn matches $C) and ($issuer_dn matches $I)} {
log "Client Certificate Accepted: $subject_dn"
log "ssl_errstr value is: $ssl_errstr"
pool vip-10.1.1.1_80
} else {
log "Client Certificate Rejected: $subject_dn"
reject
} } }
Here is the output when I try and create it. I don't get very far.
bp>rule Client_Cert_Auth {
>>>when CLIENTSSL_CLIENTCERT {
>>>set CN "www.foo.com"
BIGpipe parsing error: 012e0021:3: The requested attribute (set CN) for 'rule' is invalid.
Here is the version I am running:
Kernel:
Linux 2.4.21-9.4.6.401.0smp
Package:
BIG-IP Version 9.4.6 401.0 Final Edition
Thanks for any help!
5 Replies
Bob_Vance_75936I was able to get access to the config utility and enter in the irule that way. However, I receive back the following error:
01070151:3: Rule [Client_Cert_Auth] error:
line 13: [parse error: PARSE syntax 503 {syntax error in expression "($ssl_errstr eq "ok") and ($subject_dn matches $CN) and ($su...": looking for close parenthesis}] [{($ssl_errstr eq "ok") and ($subject_dn matches $CN) and ($subject_dn matches $OU) and ($subject_dn matches $O) and ($subject_dn matches $L) and ($subject_dn matches $S) and ($subject_dn matches $C) and ($issuer_dn matches $I)}]
line 22: [command is not valid in the current scope] [}]
The line 13 error seems to be looking for an additional }?
The line 22 error seemed to be an extra }- Bob_Vance_75936Does anyone know what is wrong with the code below? I have searched around without any luck so far. I don't see where I'd need an additional parenthesis... Any help is greatly appreciated.
01070151:3: Rule [Client_Cert_Auth] error:
line 13: [parse error: PARSE syntax 503 {syntax error in expression "($ssl_errstr eq "ok") and ($subject_dn matches $CN) and ($su...": looking for close parenthesis}] [{($ssl_errstr eq "ok") and ($subject_dn matches $CN) and ($subject_dn matches $OU) and ($subject_dn matches $O) and ($subject_dn matches $L) and ($subject_dn matches $S) and ($subject_dn matches $C) and ($issuer_dn matches $I)}] - Bob_Vance_75936I replaced 'matches' with 'contains' and it compiled correctly. I would still like to figure out why contains is accepted, but matches is not.
if {($ssl_errstr equals "ok") and ($subject_dn matches $CN) and ($subject_dn matches $OU) and ($subject_dn matches $O) and ($subject_dn matches $L) and ($subject_dn matches $S) and ($subject_dn matches $C) and ($issuer_dn matches $I)} {
is now:
if {($ssl_errstr equals "ok") and ($subject_dn contains $CN) and ($subject_dn contains $OU) and ($subject_dn contains $O) and ($subject_dn contains $L) and ($subject_dn contains $S) and ($subject_dn contains $C) and ($issuer_dn contains $I)} { 
hoolioCirrostratus
Hi Bob,
The matches wiki page indicates matches isn't valid in 9.4.8 or 10.x:
http://devcentral.f5.com/wiki/default.aspx/iRules/matches
This command doesn't seem to exist in 9.4.8 or 10 and was replaced in 10 with matches_glob
Aaron- Bob_Vance_75936Thanks Aaron. This info will be helpful in our v9.x to v10 upgrade planning.....
