Forum Discussion
newbie_89507
Nimbostratus
NimbostratusIrule for SSL client authentication
i m new in this forum and new in F5 world. Recently bought F5 running 9.4.7 ver.
I have virtual server with valid SSL certificate. I need to write an irule so that when client try to connect to VS in f5 (which has valid cert) it ask client to present valid certificate once client presents valid certificate it will allow coonectivity. I also need to mention in irule that it checkes the certificate and allows only certifiacte specified in the irule not any valid ssl certificate.
URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
3 Replies
- The_Bhattmanhi Syed,
Have you looked at the following Sample Code
http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html
CB 
newbie_89507i want to authenticate via thumbprint and CN- newbie_89507in this irule would be enough
class my_thumbprint_list {
"Thumbprint= 9e 0f 40 e2 43 1c"
}
3. Add this iRule:
when RULE_INIT {
set ::org "O=my Organisation"
}
when CLIENTSSL_CLIENTCERT {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains $::my_thumbprint_list]) and ($subject_dn contains $::org) } {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
