Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Client Certificate Validation by Subject

I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:     http://devcentral.f5.com/Communit...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 17, 2011
thanks for the certificates and key. 

[root@ve1023:Active] iRuleTest  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:https
   ip protocol tcp
   rules myrule
   profiles {
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve1023:Active] iRuleTest  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "clientblank_ca.crt"
   peer cert mode require
}
[root@ve1023:Active] iRuleTest  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
   if {[SSL::cert count] > 0 and [SSL::cert 0] ne ""}{

      catch {X509::subject [SSL::cert 0]} subject_dn
      log local0. "Client Certificate Received: $subject_dn"

      if {$subject_dn eq ""} {
         log local0. "Client Certificate with blank subject was detected"
         reject
      } elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
         log local0. "Client Certificate Accepted: $subject_dn"
      } else {
         log local0. "Unauthorized Client Certificate was detected: $subject_dn"
         reject
      }
   }
}
}

[root@ve1023:Active] iRuleTest  curl -Ik https://172.28.19.79 --cert clientblank.crt --key clientblank.key
curl: (55) SSL_write() returned SYSCALL, errno = 104

[root@ve1023:Active] iRuleTest  
Nov 17 09:36:40 local/tmm info tmm[4766]: Rule myrule : Client Certificate Received:
Nov 17 09:36:40 local/tmm info tmm[4766]: Rule myrule : Client Certificate with blank subject was detected