Client Certificate Validation by Subject

Thanks for th reply nitass. You are probably right, why is it >1?! Anyway, I changed it to >0 and it made no difference, I still get the following TCL error when a certificate with blank subject field is presented and the connection is allowed:

 

 

Nov 16 14:34:57 tmm tmm[1672]: 01220001:3: TCL error: ebilling_client_cert_check - command returned bad code: 32 while executing "if {[SSL::cert count] > 1}{ set subject_dn [X509::subject [SSL::cert 0]] log local0. "Client Certificate Received: $subject_dn" if {$s..."

 

 

Pretty good hack!

 

 

After looking at the iRule I thought that maybe "if {[SSL::cert count] > 0 and [SSL::cert 0] ne ""}" statement is at fault as the subject_dn variable will not be populated if [SSL::cert 0] is blank, so then later on when we check for it in "if {$subject_dn eq ""}", the TCL engine has no idea what to do. Well, I removed the "and [SSL::cert 0] ne ""}" part and still got the same TCL error and the connection was allowed/accepted. I hope I am not running into some king of iRule/TCL anomaly as I need to get this running soon and this looks like a serious security vulnerability.

 

 

I hope you guys have some additional ideas.