Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Client Certificate Validation by Subject

I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:     http://devcentral.f5.com/Communit...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 29, 2011
hi Maxim,

sorry i missed your message. i tested Engineering Service's irule and it seemed to be okay too. 

[root@ve1023:Active] iRuleTest  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve1023:Active] iRuleTest  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "clientblank_ca.crt"
   peer cert mode require
}
[root@ve1023:Active] iRuleTest  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
        if {[SSL::cert count] > 0}{
                set allfield "[X509::cert_fields [SSL::cert 0] [SSL::verify_result] issuer subject sigalg validity hash]"
                log local0. "$allfield"
                if { $allfield contains "SSLClientCertSubject" } {
                        log local0. "matched SSLClientCertSubject"
                        set subject_dn [X509::subject [SSL::cert 0]]
                } else {
                        log local0. "not matched SSLClientCertSubject"
                        set subject_dn ""
                }
                log local0. "Client Certificate Received: $subject_dn"
                if {$subject_dn eq ""} {
                        log local0. "Client Certificate with blank subject was detected"
                        reject
                } elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
                        log local0. "Client Certificate Accepted: $subject_dn"
                } else {
                        log local0. "Unauthorized Client Certificate was detected: $subject_dn"
                        reject
                }
        }
}
}

[root@ve1023:Active] iRuleTest  curl -ik https://172.28.19.79 --cert ./clientblank.crt --key ./clientblank.key
curl: (55) SSL_write() returned SYSCALL, errno = 104

[root@ve1023:Active] iRuleTest  
Nov 28 20:22:26 local/tmm info tmm[23027]: Rule myrule : SSLClientCertStatus OK SSLClientCertIssuer {CN=Cartus Enrolment CA,DC=production,DC=cendantmobility,DC=net} SSLClientCertSignatureAlgorithm sha1WithRSAEncryption SSLClientCertNotValidBefore {Oct 23 20:55:00 2011 GMT} SSLClientCertNotValidAfter {Oct 22 20:55:00 2012 GMT} SSLClientCertHash e6:44:7e:d2:5e:6b:be:a0:e8:45:53:d2:17:0a:2d:ac
Nov 28 20:22:26 local/tmm info tmm[23027]: Rule myrule : not matched SSLClientCertSubject
Nov 28 20:22:26 local/tmm info tmm[23027]: Rule myrule : Client Certificate Received:
Nov 28 20:22:26 local/tmm info tmm[23027]: Rule myrule : Client Certificate with blank subject was detected