Forum Discussion
hooleylist
Nov 15, 2011Cirrostratus
Hi Maxim,
You should be able to use [SSL::cert count] > 0 to check for a cert before attempting to parse the cert:
when CLIENTSSL_CLIENTCERT {
if {[SSL cert count] > 1 and [SSL::cert 0] ne ""}{
set subject_dn [X509::subject [SSL::cert 0]]
Log the subject properties of the presented certificate
log local0. "Client Certificate Received: $subject_dn"
Check to see if the presented certificate is allowed and if yes, accept
if {$subject_dn eq ""} {
Certificate has blank subject, reject
log local0. "Client Certificate with blank subject was detected"
reject
} elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
log local0. "Client Certificate Accepted: $subject_dn"
} else {
Any other condition, reject
log local0. "Unauthorized Client Certificate was detected: $subject_dn"
reject
}
}
}
Note that I've remove the $:: prefix from the datagroup name assuming you're on 9.4.4 or higher. If you're on an LTM version lower than 9.4.4, add the $:: prefix back.
Aaron