Forum Discussion
CLIENTSSL - iRule
- Dec 10, 2019
When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.
Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html
The below Irule should help your requirement.
ltm rule CERT_DETAILS { when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0 } { if {[SSL::verify_result] == 0 }{ set subject [X509::subject [SSL::cert 0]] set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] set serial [X509::serial_number [SSL::cert 0]] set hash [X509::hash [SSL::cert 0]] log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash" } else { log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]" } } else { log local0. "Client - [IP::client_addr] provided no cert." } } }
If an application makes a request to the VIP to access the servers. Will the "Require" option force the machine to use it's certificate in it's cert store or will this just force to request it?
I am attempting to passively see what the client is passing if in fact it is passing a certificate.
- 2019F5DevCentraDec 10, 2019Cirrus
I tweaked the above statement to post the output for the Client Certificate.
That solved what I was trying to get at. Thanks!
- jaikumar_f5Dec 11, 2019MVP
A require is like - REQUIRED. Meaning it is needed. So its a force setting asking the client to provide the certificate. The certificate could be anything from his cert store. Often it will be his machine certificate. Or in case the client machine would have installed multiple other app related certificates too. Also to note, here the SSL does not estabishes unless the cert is provided.
Whereas the Request is like - making a REQUEST, if he gives, it logs. If he doesn't share, still it proceeds. Hope this helps.
If you think the issue is solved, feel free to mark the thread closed as solution provided.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com