Client Certificate Verification using Request

Question

Hello. Wondering if there is an iRule equivalent of the "Client Certificate - Require" and "Trusted Certificate Authorities - Bundle" in the SSL Profile. I have a situation where I need to set the "Client Certificate" to request but still verify the cert. The cert is only verified when "Client Certificate" is set to require. I know I can build a rule that checks the issuer angainst a data group, etc. but I am looking for a feature-parity approach in an iRule. Thanks.

erich_rockman_1 · Accepted Answer

I decided to go with something like this:
when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] &gt; 0} {
set error_code [SSL::verify_result]
set error_code_string [X509::verify_cert_error_string [SSL::verify_result]]
    log local0. "error_code = $error_code" 
    log local0. "error_code_string = $error_code_string"

if { $error_code ne 0 } {
        reject
        return
    }
}

}

Forum Discussion

Client Certificate Verification using Request

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

Re: Management Certificate

Certifications for security professionals

Certificate Expiry Email alert configuration

LTM Certificate expire

FTP Monitor File Existence Verification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS