Forum Discussion
CirrusiRule for X509 Subject
Cirrusthsi is the full iRule
#This will insert multiple headers into the packet to the backend servers.
when CLIENTSSL_CLIENTCERT {
# See if the no certificate was presented after SSL profile request
if {[SSL::cert 0] eq ""}{
# Log a failure to receive a certificate
log local0. "([IP::client_addr]:[TCP::client_port]-[IP::local_addr]:[TCP::local_port]) failed to provide a certificate, connection rejected"
# Reset the connection because of no certificate
reject
}
# Log receipt of a client certificate
#May Be Remarked In Production
#log local0. "A Cert was submitted from IP Address: [IP::client_addr]"
}
when HTTP_REQUEST {
# Set a local variable with certificate
set cert [SSL::cert 0]
set Cert_CN [X509::subject [SSL::cert 0] commonName]
log local0. "This is from User_CN $Cert_CN"
#HTTP::header insert "X-SSL-Client-CN" "$Cert_CN"
#HTTP::header insert X-SSL-Client-S-DN [X509::subject $cert]
#HTTP::header insert X-SSL-Client-NotBefore [X509::not_valid_before $cert]
#HTTP::header insert X-SSL-Client-NotAfter [X509::not_valid_after $cert]
#HTTP::header insert X-SSL-Issuer [X509::issuer $cert]
#HTTP::header insert X-SSL-CERT [X509::whole $cert]
#HTTP::header insert X-SSL-SERIAL [X509::serial_number $cert]
#HTTP::header insert X-SSL-VERSION [X509::version $cert]
#HTTP::header insert X-SSL-EXTENSIONS [X509::extensions $cert]
}
