F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

mikegray_198028's avatar
mikegray_198028
Icon for Cirrus rankCirrus
Jan 19, 2017

irule help

Hello Team, I am looking for irule for the below scenario. https://www.example.com/user1 > for this user will submit client certificate with cn=user1 LB should accept this connection and rej...
application delivery
iRules
LTM
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Jan 22, 2017

Only the leaf cert, [SSL::cert 0] is used for client SSL checking. This should also work;-

when HTTP_REQUEST {
    set cn [class match -value [HTTP::path] starts_with dg_path_common_name_mapping]

    if {$cn ne ""} {
        Client certificate is required for this path  
       if {![SSL::cert count]} {
          HTTP::respond 403 content "Client certificate required" noserver
          return
       } elseif {!([X509::subject [SSL::cert 0]] contains $cn)} {
           Client cert doesn't match required Common Name
          HTTP::respond 403 content "Client certificate does not match required name $cn" noserver
          return
       }
    }
}