Forum Discussion

Nimbostratus

Dec 16, 2010

Client Certificate Authentication w/ CN Checking?

All, We are trying to use this iRule with our 8400 9.4.7 platform and followed the directions and can't seem to get this to work? I see an error displaying in the logs (see below) is their s...

Cirrostratus

Dec 17, 2010

Hi JC,

Can you try this? I've added a check to see if the client actually provide a cert before trying to parse it:


when RULE_INIT {
   set ::org "O=Your Organisation"
}
when CLIENTSSL_CLIENTCERT {
    Check if client provided a cert
   if {[SSL::cert 0] eq ""}{
       Reset the connection
      reject
   } else {
      Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains $::my_cn_list]) and ($subject_dn contains $::org) } {
         Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }
   }
}

Aaron

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)