Forum Discussion

JCMATTOS_41723's avatar
JCMATTOS_41723
Icon for Nimbostratus rankNimbostratus
Nov 01, 2011

CN list for x509::subject?

We have a current irule CN list that works great, and would like to somehow lowercase the X509::subject characters to eliminate case sensitive subjects? Not sure if thats possible but I tried something like this and it did not work. Any ideas?

 

 

when CLIENTSSL_CLIENTCERT {

 

Check if client provided a cert

 

if {[SSL::cert 0] eq ""}{

 

log "Client Certificate Missing"

 

reject

 

 

} else {

 

set subject_dn [X509::subject [SSL::cert 0]]

 

log "Client Certificate Received: $subject_dn"

 

if {([matchclass [string tolower [$subject_dn]] contains $::cn_list]) } {

 

Accept the client cert

 

log "Client Certificate Accepted: $subject_dn [SSL::cert count]"

 

} else {

 

log "Client Certificate Mismatch: $subject_dn [SSL::cert count]"

 

reject

 

}

 

}

 

}

 

 

 

 

 

 

 

  • Hi JCMATTOS,

    I do not have a ClientSSL Certificate to test with at the moment, but can you try the string tolower on the set?

    
    set subject_dn [string tolower [X509::subject [SSL::cert 0]]
    
  • e.g.

    [root@iris:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.17.33:https
       ip protocol tcp
       rules myrule
       profiles {
          myclientssl {
             clientside
          }
          tcp {}
       }
    }
    [root@iris:Active] config  b rule myrule list
    rule myrule {
       when CLIENTSSL_CLIENTCERT {
            log local0. "[X509::subject [SSL::cert 0]]"
            log local0. "[string tolower [X509::subject [SSL::cert 0]]]"
    }
    }
    
    [root@iris:Active] config  curl -Ik https://172.28.17.33/ --cert /var/tmp/ca/client.crt --key /var/tmp/ca/client.key
    HTTP/1.1 200 OK
    Date: Wed, 02 Nov 2011 03:56:20 GMT
    Server: Apache/2.0.59 (rPath)
    Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
    ETag: "667a-67-cfb682c0"
    Accept-Ranges: bytes
    Content-Length: 103
    Vary: Accept-Encoding
    Set-Cookie: testcookie=helloworld
    Content-Type: text/html; charset=UTF-8
    
    [root@iris:Active] config  cat /var/log/ltm
    Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us
    Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : cn=client.f5net.com,ou=ps,o=f5net,l=seattle,st=wa,c=us