Only the leaf cert, [SSL::cert 0] is used for client SSL checking. This should also work;-
when HTTP_REQUEST {
set cn [class match -value [HTTP::path] starts_with dg_path_common_name_mapping]
if {$cn ne ""} {
Client certificate is required for this path
if {![SSL::cert count]} {
HTTP::respond 403 content "Client certificate required" noserver
return
} elseif {!([X509::subject [SSL::cert 0]] contains $cn)} {
Client cert doesn't match required Common Name
HTTP::respond 403 content "Client certificate does not match required name $cn" noserver
return
}
}
}