Forum Discussion

JCMATTOS_41723's avatar
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

Client Certificate Authentication w/ CN Checking?




We are trying to use this iRule with our 8400 9.4.7 platform and followed the directions and can't seem to get this to work? I see an error displaying in the logs (see below) is their something I'm missing? Please help...




Dec 16 08:30:16 tmm tmm[1943]: 01220001:3: TCL error: ABC_123 - while executing "X509::subject [SSL::cert 0]"


Thu Dec 16 08:30:16 PST 2010 tmm tmm[1943] 01220001 TCL error: Progressive_CCA CLIENTSSL_CLIENTCERT - while executing X509::subject [SSL::cert 0]


1 Reply

  • Hi JC,

    Can you try this? I've added a check to see if the client actually provide a cert before trying to parse it:


    when RULE_INIT {
       set ::org "O=Your Organisation"
        Check if client provided a cert
       if {[SSL::cert 0] eq ""}{
           Reset the connection
       } else {
          Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
          set subject_dn [X509::subject [SSL::cert 0]]
          log "Client Certificate Received: $subject_dn"
          Check if the client certificate contains the correct O and a CN from the list
          if { ([matchclass $subject_dn contains $::my_cn_list]) and ($subject_dn contains $::org) } {
             Accept the client cert
             log "Client Certificate Accepted: $subject_dn"
          } else {
             log "No Matching Client Certificate Was Found Using: $subject_dn"