For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shawn_Salyers_8's avatar
Shawn_Salyers_8
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

Client Certificate Help Needed!!!!

I have been searching the forums and have not been able to find an iRule example that I am able to get working. Simply put, I need to require a client certificate and allow access based on the thumbp...
application delivery
dev
devops
iRules
Shawn_Salyers_8's avatar
Shawn_Salyers_8
Icon for Nimbostratus rankNimbostratus
Dec 28, 2010
So this is what I have come up with so far:

 

 

when CLIENTSSL_CLIENTCERT {

 

set serial_dn [X509::serial_number [SSL::cert 0]]

 

log "Client Certificate Received: $serial_dn"

 

if { ([matchclass $serial_dn contains $::ClientCert])} {

 

Accept the client cert

 

log "Client Certificate Accepted: $serial_dn"

 

} else {

 

log "No Matching Client Certificate Was Found Using: $serial_dn"

 

reject

 

}

 

}

 

 

It basically checks the serial number of the client cert and see if it matches an entry in the Data Group.

 

 

Can I add anything to this to make it better? How can I add the serial number to the header so that it can get logged on the webserver side?

 

 

Thanks for the guidance and suggestions!