Forum Discussion
Shawn_Salyers_8
Nimbostratus
NimbostratusClient Certificate Help Needed!!!!
I have been searching the forums and have not been able to find an iRule example that I am able to get working. Simply put, I need to require a client certificate and allow access based on the thumbprint of the cert. I will store the thumbprints in a datagroup if the thumbprint exists access is granted.
Any help would be GREATLY appreciated!
hooleylistCirrostratus
Hi Shawn,
Which LTM version are you running? The format for such a rule has changed somewhat in the various versions.
Thanks, Aaron
Shawn_Salyers_8BIG-IP 9.4.7 Build 320.1 Final- hooleylistThis example is something you could start with:
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html
You could add logic to one of those examples, which after validating the client cert, adds the client's ssl ssession ID to the session table:
http://devcentral.f5.com/wiki/default.aspx/iRules/session
That way you could support SSL session resumption in the client SSL profile and only check the cert once per session.
Aaron - Shawn_Salyers_8So this is what I have come up with so far:
when CLIENTSSL_CLIENTCERT {
set serial_dn [X509::serial_number [SSL::cert 0]]
log "Client Certificate Received: $serial_dn"
if { ([matchclass $serial_dn contains $::ClientCert])} {
Accept the client cert
log "Client Certificate Accepted: $serial_dn"
} else {
log "No Matching Client Certificate Was Found Using: $serial_dn"
reject
}
}
It basically checks the serial number of the client cert and see if it matches an entry in the Data Group.
Can I add anything to this to make it better? How can I add the serial number to the header so that it can get logged on the webserver side?
Thanks for the guidance and suggestions!