CN list for x509::subject?

Question

We have a current irule CN list that works great, and would like to somehow lowercase the X509::subject characters to eliminate case sensitive subjects? Not sure if thats possible but I tried something like this and it did not work. Any ideas?&nbsp;
&nbsp;when CLIENTSSL_CLIENTCERT {&nbsp;
    Check if client provided a cert
&nbsp;   if {[SSL::cert 0] eq ""}{
&nbsp;      log "Client Certificate Missing"
&nbsp;      reject &nbsp;

&nbsp;   } else {&nbsp;
      set subject_dn [X509::subject [SSL::cert 0]]
&nbsp;      log "Client Certificate Received: $subject_dn"
&nbsp;      if {([matchclass [string tolower [$subject_dn]] contains $::cn_list]) } {
&nbsp;         Accept the client cert
&nbsp;         log "Client Certificate Accepted: $subject_dn [SSL::cert count]"
&nbsp;      } else {
&nbsp;         log "Client Certificate Mismatch: $subject_dn [SSL::cert count]"
&nbsp;         reject
&nbsp;      }
&nbsp;   }
&nbsp;}&nbsp;

&nbsp;
&nbsp;

&nbsp; &nbsp;

michael_yates · Answer

Hi JCMATTOS, 
  
 I do not have a ClientSSL Certificate to test with at the moment, but can you try the string tolower on the set? 
 
set subject_dn [string tolower [X509::subject [SSL::cert 0]]

nitass · Answer

e.g. 
  
 [root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:https
   ip protocol tcp
   rules myrule
   profiles {
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when CLIENTSSL_CLIENTCERT {
        log local0. "[X509::subject [SSL::cert 0]]"
        log local0. "[string tolower [X509::subject [SSL::cert 0]]]"
}
}

[root@iris:Active] config  curl -Ik https://172.28.17.33/ --cert /var/tmp/ca/client.crt --key /var/tmp/ca/client.key
HTTP/1.1 200 OK
Date: Wed, 02 Nov 2011 03:56:20 GMT
Server: Apache/2.0.59 (rPath)
Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
ETag: "667a-67-cfb682c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding
Set-Cookie: testcookie=helloworld
Content-Type: text/html; charset=UTF-8

[root@iris:Active] config  cat /var/log/ltm
Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : CN=client.f5net.com,OU=ps,O=f5net,L=seattle,ST=wa,C=us
Nov  2 20:46:10 local/tmm info tmm[1609]: Rule myrule : cn=client.f5net.com,ou=ps,o=f5net,l=seattle,st=wa,c=us

Forum Discussion

CN list for x509::subject?

2 Replies

Recent Discussions

TELEGRAMA @CANNAUNION DINERO FALSO 💸✔💸

Handling IP Geolocation Conflicts with AWAF for Internal LAN Addresses

F5 AWAF with HTTP/2, MRF and Websocket profiles

What parameter sections can be checked to find out the cause of slow GUI access?

Issue with worker_connections limits in Nginx+

Related Content

X509 Subject Formatting

F5 402 Exam reading list and notes

Intermediate iRules: Handling Lists

list ltm profile

List BIG-IP Next Instance Backups on Central Manager