Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 05, 2019

Client Cert validation

Trying to understand the Logistics here in KB Article - https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html   #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/O...
devops
iRules
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Dec 06, 2019

     

    when CLIENTSSL_CLIENTCERT {
    set s_dn [X509::subject [SSL::cert 0]]
    set s_serial [X509::serial_number [SSL::cert 0]]
    log local0. "Client Certificate Received: $s_dn"
    if { $s_dn != "" }{
        if { ([matchclass $s_serial contains DatagroupS]) } {
            #Accept the client cert
            log local0. "Client Certificate Accepted: $s_serial"
        } else {
            reject
            log local0. "Failed Cert Auth - No Certificate"
        }
    } else {
        reject
    }
}

     

    Try this, it should work 🙂

Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Dec 05, 2019

Hi

 

This just matches the CN and ORGANISATION of a certificate to values stores in a datagroup and static variable. If OK, the request will be release to the backend.

 

But note this requires first that the SSL profile assigned to the virtual servers accepts the client certificate provided by the client, depending on how your SSL Profile is configured :

  • Trusted CA
  • CRLs...

 

To summerize :

  • If client cert authentication is enabled in your clientssl profile
  • If the client cert issuer is trusted in your clientssl profile
  • If the client cert is not in the revocation list (if you configured one in your clientssl profile)
  • If the CN is in the datagroup list
  • If the ORG matches the static variable value

 

The the processing will continue

 

Hope this makes it clearer. Let us know if not

 

Yoann

  • 2019F5DevCentra's avatar
    2019F5DevCentra
    Icon for Cirrus rankCirrus
    Dec 05, 2019

    In looking at the code, I seem to be having an issue with the way I'm requesting data.

    If I want to get Multiple Certificates from Multiple Orgs to be able to access my application and within ClientSSL Profile I have only enabled the "Request" feature. I just want a general Client SSL Profile to Request the Certificate and then pass onto the iRule. If the Client Subject DN matches to my data group then allow traffic to pass. I seem to be having issues somewhere here.

     

       #Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      #Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains my_cn_list]) } {
         #Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }

     

    In my logging with the Subject Matching, I get the Log indicating it did match, but then the script also flows through the reject statement and I see the No matching Subject, and traffic is rejected.

     

    What am I missing here.