Forum Discussion
Maxim_Taskov_90
Nimbostratus
NimbostratusClient Certificate Validation by Subject
I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:
http://devcentral.f5.com/Communit...
hoolio
Cirrostratus
CirrostratusHi Maxim,
You should be able to use [SSL::cert count] > 0 to check for a cert before attempting to parse the cert:
when CLIENTSSL_CLIENTCERT {
if {[SSL cert count] > 1 and [SSL::cert 0] ne ""}{
set subject_dn [X509::subject [SSL::cert 0]]
Log the subject properties of the presented certificate
log local0. "Client Certificate Received: $subject_dn"
Check to see if the presented certificate is allowed and if yes, accept
if {$subject_dn eq ""} {
Certificate has blank subject, reject
log local0. "Client Certificate with blank subject was detected"
reject
} elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
log local0. "Client Certificate Accepted: $subject_dn"
} else {
Any other condition, reject
log local0. "Unauthorized Client Certificate was detected: $subject_dn"
reject
}
}
} Note that I've remove the $:: prefix from the datagroup name assuming you're on 9.4.4 or higher. If you're on an LTM version lower than 9.4.4, add the $:: prefix back.
Aaron
