For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sonny's avatar
Sonny
Icon for Cirrus rankCirrus
May 12, 2010

Ignore "Extended Key Usage" field in Cert

Looking for help with an iRule to ignore a field in the cert. In particular, I want the F5 to ignore the "Extended Key Usage" field of the cert. Background info: I have a connection in which the serve...
application delivery
dev
devops
iRules
Sonny's avatar
Sonny
Icon for Cirrus rankCirrus
May 14, 2010
Yeah, the client is currently using this iRule to check the validity of the cert.:

 

 

when CLIENTSSL_CLIENTCERT {

 

log cron.warning [SSL::verify_result]

 

SSL::verify_result 0

 

log cron.warning [SSL::verify_result]

 

}

 

 

and from the logs...

 

 

May 13 08:55:30 tmm tmm[1249]: Rule XXXX-irule

 

: 26

 

May 13 08:55:30 tmm tmm[1249]: Rule XXXX-irule

 

: 0

 

 

and from the "26" code:

 

 

http://www.openssl.org/docs/apps/ve...IAGNOSTICS:

 

 

26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose the supplied certificate cannot be used for the specified purpose.

 

 

So what we want to do is try to come up with an iRule to look at the cert and then ignore the specific "extended key usage" field in the cert. Hope this helps... We could just get another cert BUT that $$$.