Forum Discussion
CirrostratusClient Certificate sr number validation - irule
Hi
I have a virtual server which has a client ssl profile to validate the client certificate (require), as an additional security, we want to allow a client with a specific serial number only to connect. I found below irule on devcentral and it is behaving in strange way -
when CLIENTSSL_CLIENTCERT { if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
log local0. "Certificate 1: [X509::serial_number [SSL::cert 0]]"
set subject_sn [X509::serial_number [SSL::cert 0]]
log "Client Certificate Received: $subject_sn"
Check if the client certificate contains the correct serial_number
if {$subject_sn equals "00:f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6"} {
Accept the client cert
log "Client Certificate Accepted: $subject_sn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_sn"
reject
}
}
}
irule seems to be fine but it is not working and giving below logs -
Dec 21 15:56:33 JUB-HQ-ASM-01 info tmm1[22672]: Rule /Common/Client-Cert-Validation : Certificate 1: f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6 Dec 21 15:56:33 JUB-HQ-ASM-01 info tmm1[22672]: 01220002:6: Rule /Common/Client-Cert-Validation : Client Certificate Received: f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6 Dec 21 15:56:33 JUB-HQ-ASM-01 info tmm1[22672]: 01220002:6: Rule /Common/Client-Cert-Validation : No Matching Client Certificate Was Found Using: f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6
any idea why it is not working????
1 Reply
Ed_SummersNimbostratus
Your test is for "00:f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6", but the log indicates that the system pulled "f3:f8:d0:2b:87:42:a1:05:4f:27:5f:dc:2c:41:66:c6". Note that the BIG-IP will strip leading zeroes when using X509::serial_number - actually a function of underlying OpenSSL returning the value (see ).
Need to change your iRule to remove the leading zeroes.
