For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Oct 08, 2013

I think your client has not supplied a certificate. Check that [SSL::cert count] > 0 before executing [X509::subject [SSL::cert 0]]

 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 08, 2013
    I don't believe the CLIENTSSL_CLIENTCERT event will be triggered if the client isn't presenting a certificate.
  • uni's avatar
    uni
    Icon for Altocumulus rankAltocumulus
    Oct 08, 2013
    Good point. I wonder why there is a TCL error then
  • uni's avatar
    uni
    Icon for Altocumulus rankAltocumulus
    Oct 08, 2013
    The event is triggered. I have a rule which logs the cert count in that event, and it logs 0 regularly. Jim should look at the example in the Wiki: https://clouddocs.f5.com/api/irules/X509__subject.html It does almost exactly what he wants. He will need to pick out the CN from the subject. e.g change the test to if { [X509::subject [SSL::cert 0]] contains "CN=my.common.name" }
  • uni's avatar
    uni
    Icon for Altocumulus rankAltocumulus
    Oct 08, 2013
    Further to the point about when the CLIENTSSL_CLIENTCERT event is triggered, the Wiki says "Triggered when the system receives a certificate message from the client. The message may contain zero or more certificates"