Forum Discussion

Nimbostratus

Nov 15, 2011

Client Certificate Validation by Subject

I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample: http://devcentral.f5.com/Communit...

Nimbostratus

Nov 15, 2011

Thanks for the fast reply hoolio. Yes, I am on 9.4.7, so the $:: prefix isn't really needed.

The iRule continues to function fine if authorized and valid but unauthorized client certificate is received. However, the iRule co9ntinues to crash with the following TCL error and allow the connection:

Nov 15 20:34:59 tmm tmm[1672]: 01220001:3: TCL error: client_cert_check - command returned bad code: 32 while executing "if {[SSL::cert count] > 1 and [SSL::cert 0] ne ""}{ set subject_dn [X509::subject [SSL::cert 0]] log local0. "Client Certificate Received:..."

Now the connection is at least rejected when client certificate is not presented but nothing appears in the log.

Thanks again for your help.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Client Certificate Validation by Subject

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

POC: Validate JWT with iRule

Automating ACMEv2 Certificate Management on BIG-IP

X509 Subject Formatting

Automate Let's Encrypt Certificates on BIG-IP

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS