Forum Discussion
Client Cert validation
- Dec 06, 2019
when CLIENTSSL_CLIENTCERT { set s_dn [X509::subject [SSL::cert 0]] set s_serial [X509::serial_number [SSL::cert 0]] log local0. "Client Certificate Received: $s_dn" if { $s_dn != "" }{ if { ([matchclass $s_serial contains DatagroupS]) } { #Accept the client cert log local0. "Client Certificate Accepted: $s_serial" } else { reject log local0. "Failed Cert Auth - No Certificate" } } else { reject } }
Try this, it should work 🙂
Hi
This just matches the CN and ORGANISATION of a certificate to values stores in a datagroup and static variable. If OK, the request will be release to the backend.
But note this requires first that the SSL profile assigned to the virtual servers accepts the client certificate provided by the client, depending on how your SSL Profile is configured :
- Trusted CA
- CRLs...
To summerize :
- If client cert authentication is enabled in your clientssl profile
- If the client cert issuer is trusted in your clientssl profile
- If the client cert is not in the revocation list (if you configured one in your clientssl profile)
- If the CN is in the datagroup list
- If the ORG matches the static variable value
The the processing will continue
Hope this makes it clearer. Let us know if not
Yoann
In looking at the code, I seem to be having an issue with the way I'm requesting data.
If I want to get Multiple Certificates from Multiple Orgs to be able to access my application and within ClientSSL Profile I have only enabled the "Request" feature. I just want a general Client SSL Profile to Request the Certificate and then pass onto the iRule. If the Client Subject DN matches to my data group then allow traffic to pass. I seem to be having issues somewhere here.
#Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
#Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains my_cn_list]) } {
#Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
In my logging with the Subject Matching, I get the Log indicating it did match, but then the script also flows through the reject statement and I see the No matching Subject, and traffic is rejected.
What am I missing here.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com