Forum Discussion
iRule to Insert Client Cert into HTTP Header only when Certificate is from certain Root CA
- Jan 18, 2022
I modified the rule and also added a check for existing x-client-cert. Now it seem to work.
when RULE_INIT {
set static::org "O=MON"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set issuer_dn [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $issuer_dn"
if { ($issuer_dn contains $static::org) } {
log "Client Certificate Accepted: $issuer_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $issuer_dn"
reject
}
}
}
when HTTP_REQUEST {
foreach header_name [HTTP::header names] {
if {[string match -nocase x-client-cert $header_name]}{
HTTP::header remove $header_name
}
}
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
I am leaving the full rule here, so if anyone need something similar, it can be used.
I updated the iRule as follows:
when RULE_INIT {
set static::org "OU=<neededOU>"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
if { ($subject_dn contains $static::org) } {
log "Client Certificate Accepted: $subject_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
when HTTP_REQUEST {
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
Now I get somehow mixed results -
1 is OK
2 is OK
3 is Kinda OK - connection is reset
4 is not OK (which at time point is obvious as I am not actually trying to correct it - I want to get first 3 working first)
So what Is left is how to check if there is already and inserted spoofed X-Client-Cert in the header.
Any suggestions?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com