Forum Discussion
Maxim_Taskov_90
Nimbostratus
NimbostratusClient Certificate Validation by Subject
I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:
http://devcentral.f5.com/Communit...
Maxim_Taskov_90Nimbostratus
NimbostratusThank you nitass. Sorry for the delayed response but I was away for almost two weeks. Your latest update to the iRule works as desired. This solves my problem. I still don't know why Rule 1 below will not compile and Rule 2, the latest one in the above thread, compiles fine. I looked at them character by character and I still cannot see the difference, it has to be some space or special character somewhere that confuses the compiler as when it fails to compile, it fails with a long thread of error, which are usually indicative of a missing brace or bracket where the logic of the rule is completely incomprehensible to the compiler. Regardless the second rule works fine and that makes me happy.
I also closed the F5 support case. Their last statement was that the DevCentral workaround should be the fix and that if I want to avoid the TCL bug and make my original rule work, I need to go to BIG-IP OS 10.2.1. I cannot do that at the present but I plan to do so in not so distant future.
Thank you again for your timely and professional support. Regards, Maxim
RULE 1
---------------------------------------
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0}{
set allfield "[X509::cert_fields [SSL::cert 0] [SSL::verify_result] issuer subject sigalg validity hash]"
log local0. "$allfield"
if { $allfield contains "SSLClientCertSubject" } {
log local0. "matched SSLClientCertSubject"
set subject_dn [X509::subject [SSL::cert 0]]
}else{
log local0. "not matched SSLClientCertSubject"
set subject_dn ""
}
log local0. "Client Certificate Received: $subject_dn"
if {$subject_dn eq ""} {
log local0. "Client Certificate with blank subject was detected"
reject
}elseif{[matchclass $subject_dn contains ebilling_accepted_certs]} {
log local0. "Client Certificate Accepted: $subject_dn"
}else{
log local0. "Unauthorized Client Certificate was detected: $subject_dn"
reject
}
}
}
RULE 2
---------------------------------------
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0}{
set allfield "[X509::cert_fields [SSL::cert 0] [SSL::verify_result] issuer subject sigalg validity hash]"
log local0. "$allfield"
if { $allfield contains "SSLClientCertSubject" } {
log local0. "matched SSLClientCertSubject"
set subject_dn [X509::subject [SSL::cert 0]]
} else {
log local0. "not matched SSLClientCertSubject"
set subject_dn ""}
log local0. "Client Certificate Received: $subject_dn"
if {$subject_dn eq ""} {
log local0. "Client Certificate with blank subject was detected"
reject
} elseif {[matchclass $subject_dn contains ebilling_accepted_certs]} {
log local0. "Client Certificate Accepted: $subject_dn"
} else {
log local0. "Unauthorized Client Certificate was detected: $subject_dn"
reject
}
}
}