Forum Discussion
NimbostratusiRULE for SSL2WAYS, Client certificate verificaiton
Hello,
I have an iRULE to check if client certificate is OK, the check is on the CN and there is a verification to check if the client certificate's authority is known by the f5.
Here is the iRULE , is there any error in this iRULE ?
when CLIENTSSL_CLIENTCERT {
# Check if there is a client cert
set error_page 0
if {[SSL::cert count] > 0}{
# Check if there was no error in validating the client cert against LTM's server cert
if { [SSL::verify_result] == 0 }{
log local0. "Client Certificate is validated by CA Bundle"
set cert [SSL::cert 0]
set CN [getfield [getfield [X509::subject $cert] "CN=" 2] "," 1]
log local0. "The CN is: $CN"
set subject [string tolower $CN]
log local0. "The CN in lower case is: $subject"
if { (($subject equals "mysiteA.fr")||($subject contains "mysiteB.fr")||($subject equals "mysiteC.fr")||($subject contains "cn=mysiteD.fr"))
}{
log local0. "Client certificate matches the list of authorized CNs"
return
} else {
set error_string "CN not valid"
set error_page 1
log local0. "$error_string"
}
} else {
set error_string "Client certificate provided not validated by CA Bundle"
set error_page 1
log local0. "$error_string"
}
} else {
set error_string "No Certificate"
log local0. "$error_string"
}
}
when HTTP_REQUEST {
if {$error_page}{
HTTP::respond 403 content "<html>Invalid client certificate: $error_string</html>"
}
}
FaresBHello,
The problem is in the IF condition to check CNs , there is too much ÒR conditions.
Please can you help me to replace IF condition using a string datagroup :
if {($subject contains MyDataGroup)
is it right ?