Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 05, 2019

Client Cert validation

Trying to understand the Logistics here in KB Article - https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html   #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/O...
devops
iRules
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Dec 06, 2019

     

    when CLIENTSSL_CLIENTCERT {
    set s_dn [X509::subject [SSL::cert 0]]
    set s_serial [X509::serial_number [SSL::cert 0]]
    log local0. "Client Certificate Received: $s_dn"
    if { $s_dn != "" }{
        if { ([matchclass $s_serial contains DatagroupS]) } {
            #Accept the client cert
            log local0. "Client Certificate Accepted: $s_serial"
        } else {
            reject
            log local0. "Failed Cert Auth - No Certificate"
        }
    } else {
        reject
    }
}

     

    Try this, it should work 🙂

Yoann_Le_Corvi1's avatar
Yoann_Le_Corvi1
Icon for Cumulonimbus rankCumulonimbus
Dec 05, 2019

Hi

 

Maybe issues with { } ?

 

Can you post the full iRule ?

 

Thanks

  • 2019F5DevCentra's avatar
    2019F5DevCentra
    Icon for Cirrus rankCirrus
    Dec 05, 2019

     

    when CLIENTSSL_CLIENTCERT {
 
    set s_dn [X509::subject [SSL::cert 0]]
 
    set s_serial [X509::serial_number [SSL::cert 0]]
 
	  log local0. "Client Certificate Received: $s_dn"
 
	  if { $s_dn != "" }{
 
          	 if { ([matchclass $s_serial contains DatagroupS]) } {
 
                 #Accept the client cert
 
                 log local0. "Client Certificate Accepted: $s_serial"
 
             } 
 
	  }
 
     reject
 
     log local0. "Failed Cert Auth - No Certificate"
 
     
 
}