Forum Discussion

2019F5DevCentra's avatar
Dec 05, 2019

Client Cert validation

Trying to understand the Logistics here in KB Article - https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html

 

     #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      #Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains my_cn_list]) and ($subject_dn contains $static::org) } {
         #Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }

 

With this code. Does the F5 just automatically just Accept the Client Cert and pass the user on to the HTTP_REQUEST portion of the irule if it's matching the DataGroup List here or does some action need to happen within the Client Cert Section of the If statement to pass on the data?

 

 

  •  

    when CLIENTSSL_CLIENTCERT {
        set s_dn [X509::subject [SSL::cert 0]]
        set s_serial [X509::serial_number [SSL::cert 0]]
        log local0. "Client Certificate Received: $s_dn"
        if { $s_dn != "" }{
            if { ([matchclass $s_serial contains DatagroupS]) } {
                #Accept the client cert
                log local0. "Client Certificate Accepted: $s_serial"
            } else {
                reject
                log local0. "Failed Cert Auth - No Certificate"
            }
        } else {
            reject
        }
    }

     

    Try this, it should work 🙂

7 Replies

  •  

    when CLIENTSSL_CLIENTCERT {
        set s_dn [X509::subject [SSL::cert 0]]
        set s_serial [X509::serial_number [SSL::cert 0]]
        log local0. "Client Certificate Received: $s_dn"
        if { $s_dn != "" }{
            if { ([matchclass $s_serial contains DatagroupS]) } {
                #Accept the client cert
                log local0. "Client Certificate Accepted: $s_serial"
            } else {
                reject
                log local0. "Failed Cert Auth - No Certificate"
            }
        } else {
            reject
        }
    }

     

    Try this, it should work 🙂

  • Hi

     

    This just matches the CN and ORGANISATION of a certificate to values stores in a datagroup and static variable. If OK, the request will be release to the backend.

     

    But note this requires first that the SSL profile assigned to the virtual servers accepts the client certificate provided by the client, depending on how your SSL Profile is configured :

    • Trusted CA
    • CRLs...

     

    To summerize :

    • If client cert authentication is enabled in your clientssl profile
    • If the client cert issuer is trusted in your clientssl profile
    • If the client cert is not in the revocation list (if you configured one in your clientssl profile)
    • If the CN is in the datagroup list
    • If the ORG matches the static variable value

     

    The the processing will continue

     

    Hope this makes it clearer. Let us know if not

     

    Yoann

    • 2019F5DevCentra's avatar
      2019F5DevCentra
      Icon for Cirrus rankCirrus

      In looking at the code, I seem to be having an issue with the way I'm requesting data.

      If I want to get Multiple Certificates from Multiple Orgs to be able to access my application and within ClientSSL Profile I have only enabled the "Request" feature. I just want a general Client SSL Profile to Request the Certificate and then pass onto the iRule. If the Client Subject DN matches to my data group then allow traffic to pass. I seem to be having issues somewhere here.

       

         #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
            set subject_dn [X509::subject [SSL::cert 0]]
            log "Client Certificate Received: $subject_dn"
            #Check if the client certificate contains the correct O and a CN from the list
            if { ([matchclass $subject_dn contains my_cn_list]) } {
               #Accept the client cert
               log "Client Certificate Accepted: $subject_dn"
            } else {
               log "No Matching Client Certificate Was Found Using: $subject_dn"
               reject
            }

       

      In my logging with the Subject Matching, I get the Log indicating it did match, but then the script also flows through the reject statement and I see the No matching Subject, and traffic is rejected.

       

      What am I missing here.

       

    • 2019F5DevCentra's avatar
      2019F5DevCentra
      Icon for Cirrus rankCirrus

       

      when CLIENTSSL_CLIENTCERT {
       
          set s_dn [X509::subject [SSL::cert 0]]
       
          set s_serial [X509::serial_number [SSL::cert 0]]
       
      	  log local0. "Client Certificate Received: $s_dn"
       
      	  if { $s_dn != "" }{
       
                	 if { ([matchclass $s_serial contains DatagroupS]) } {
       
                       #Accept the client cert
       
                       log local0. "Client Certificate Accepted: $s_serial"
       
                   } 
       
      	  }
       
           reject
       
           log local0. "Failed Cert Auth - No Certificate"
       
           
       
      }