Forum Discussion

JCMATTOS_41723's avatar
JCMATTOS_41723
Icon for Nimbostratus rankNimbostratus
Nov 01, 2011

CN list for x509::subject?

We have a current irule CN list that works great, and would like to somehow lowercase the X509::subject characters to eliminate case sensitive subjects? Not sure if thats possible but I tried something like this and it did not work. Any ideas?

 

 

when CLIENTSSL_CLIENTCERT {

 

Check if client provided a cert

 

if {[SSL::cert 0] eq ""}{

 

log "Client Certificate Missing"

 

reject

 

 

} else {

 

set subject_dn [X509::subject [SSL::cert 0]]

 

log "Client Certificate Received: $subject_dn"

 

if {([matchclass [string tolower [$subject_dn]] contains $::cn_list]) } {

 

Accept the client cert

 

log "Client Certificate Accepted: $subject_dn [SSL::cert count]"

 

} else {

 

log "Client Certificate Mismatch: $subject_dn [SSL::cert count]"

 

reject

 

}

 

}

 

}

 

 

 

 

 

 

 

application delivery
dev
devops
iRules
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2011
    Hi JCMATTOS,

    I do not have a ClientSSL Certificate to test with at the moment, but can you try the string tolower on the set? 

    
set subject_dn [string tolower [X509::subject [SSL::cert 0]]
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 02, 2011
    e.g. 

    [root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:https
   ip protocol tcp
   rules myrule
   profiles {
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
        log local0. "[X509::subject [SSL::cert 0]]"
        log local0. "[string tolower [X509::subject [SSL::cert 0]]]"
}
}

[root@iris:Active] config  curl -Ik https://172.28.17.33/ --cert /var/tmp/ca/client.crt --key /var/tmp/ca/client.key
HTTP/1.1 200 OK
Date: Wed, 02 Nov 2011 03:56:20 GMT
Server: Apache/2.0.59 (rPath)
Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
ETag: "667a-67-cfb682c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding
Set-Cookie: testcookie=helloworld
Content-Type: text/html; charset=UTF-8

[root@iris:Active] config  cat /var/log/ltm
Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us
Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : cn=client.f5net.com,ou=ps,o=f5net,l=seattle,st=wa,c=us