Forum Discussion
Maxim_Taskov_90
Nimbostratus
NimbostratusClient Certificate Validation by Subject
I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:
http://devcentral.f5.com/Communit...
Maxim_Taskov_90Nimbostratus
NimbostratusHoolio, nitass, this is what F5 Engineering Services delivered as a workaround but I can't make it compile yet, I am still tryng to figure out the logic:
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0}{
set allfield "[X509::cert_fields [SSL::cert 0] [SSL::verify_result] issuer subject sigalg validity hash]"
log local0. "$allfield"
if { $allfield contains "SSLClientCertSubject" } {
log local0. "matched SSLClientCertSubject"
set subject_dn [X509::subject [SSL::cert 0]]
} else {
log local0. "not matched SSLClientCertSubject"
set subject_dn ""
}
log local0. "Client Certificate Received: $subject_dn"
if {$subject_dn eq ""} {
log local0. "Client Certificate with blank subject was detected"
reject
} elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
log local0. "Client Certificate Accepted: $subject_dn"
} else {
log local0. "Unauthorized Client Certificate was detected: $subject_dn"
reject
}
}
}
Can you see a sytax error anywhere or is it the logic that is flawed?