Forum Discussion
AltostratusiRule to Insert Client Cert into HTTP Header only when Certificate is from certain Root CA
I modified the rule and also added a check for existing x-client-cert. Now it seem to work.
when RULE_INIT {
set static::org "O=MON"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set issuer_dn [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $issuer_dn"
if { ($issuer_dn contains $static::org) } {
log "Client Certificate Accepted: $issuer_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $issuer_dn"
reject
}
}
}
when HTTP_REQUEST {
foreach header_name [HTTP::header names] {
if {[string match -nocase x-client-cert $header_name]}{
HTTP::header remove $header_name
}
}
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
I am leaving the full rule here, so if anyone need something similar, it can be used.
AltostratusI modified the rule and also added a check for existing x-client-cert. Now it seem to work.
when RULE_INIT {
set static::org "O=MON"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set issuer_dn [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $issuer_dn"
if { ($issuer_dn contains $static::org) } {
log "Client Certificate Accepted: $issuer_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $issuer_dn"
reject
}
}
}
when HTTP_REQUEST {
foreach header_name [HTTP::header names] {
if {[string match -nocase x-client-cert $header_name]}{
HTTP::header remove $header_name
}
}
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
I am leaving the full rule here, so if anyone need something similar, it can be used.
