Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Client Certificate Validation by Subject

I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:     http://devcentral.f5.com/Communit...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 16, 2011
why is [SSL::cert count] greater than 1? shouldn't it be 1?

this is mine. 

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.65.152:https
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
        if {[SSL::cert count] > 0 and [SSL::cert 0] ne ""}{
                set subject_dn [X509::subject [SSL::cert 0]]
                log local0. "Client Certificate Received: $subject_dn"

                if {$subject_dn eq ""} {
                        log local0. "Client Certificate with blank subject was detected"
                        reject
                } elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
                        log local0. "Client Certificate Accepted: $subject_dn"
                } else {
                        log local0. "Unauthorized Client Certificate was detected: $subject_dn"
                        reject
                }
        }
}
}
[root@ve1023:Active] config  b class ebilling_accepted_certs list
class ebilling_accepted_certs {
   type string
}

[root@ve1023:Active] config  curl -Ik https://172.28.65.152/ --cert /var/tmp/temp/ca/client.crt --key /var/tmp/temp/ca/client.key
curl: (55) SSL_write() returned SYSCALL, errno = 104

[root@ve1023:Active] config  
Nov 16 00:44:08 local/tmm info tmm[4766]: Rule myrule : Client Certificate Received: CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us
Nov 16 00:44:08 local/tmm info tmm[4766]: Rule myrule : Unauthorized Client Certificate was detected: CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us


[root@ve1023:Active] config  b class ebilling_accepted_certs list
class ebilling_accepted_certs {
   "CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us"
}

[root@ve1023:Active] config  curl -Ik https://172.28.65.152/ --cert /var/tmp/temp/ca/client.crt --key /var/tmp/temp/ca/client.key
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2011 08:45:17 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8

[root@ve1023:Active] config  
Nov 16 00:45:03 local/tmm info tmm[4766]: Rule myrule : Client Certificate Received: CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us
Nov 16 00:45:03 local/tmm info tmm[4766]: Rule myrule : Client Certificate Accepted: CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us