Forum Discussion
Vasil_Genov
Altostratus
AltostratusiRule to Insert Client Cert into HTTP Header only when Certificate is from certain Root CA
Hello Group, My curent setup is as follows: I have a HTTPS VS with Clinet SSL profile that has Client Authentication set to Request with Trusted CA and Advertised CA set to appropriate CA. Wh...
I modified the rule and also added a check for existing x-client-cert. Now it seem to work.
when RULE_INIT {
set static::org "O=MON"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set issuer_dn [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $issuer_dn"
if { ($issuer_dn contains $static::org) } {
log "Client Certificate Accepted: $issuer_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $issuer_dn"
reject
}
}
}
when HTTP_REQUEST {
foreach header_name [HTTP::header names] {
if {[string match -nocase x-client-cert $header_name]}{
HTTP::header remove $header_name
}
}
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
I am leaving the full rule here, so if anyone need something similar, it can be used.
Vasil_GenovAltostratus
AltostratusI modified the rule and also added a check for existing x-client-cert. Now it seem to work.
when RULE_INIT {
set static::org "O=MON"
}
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert 0] eq ""}{
return
}
else {
set issuer_dn [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $issuer_dn"
if { ($issuer_dn contains $static::org) } {
log "Client Certificate Accepted: $issuer_dn"
}
else {
log "No Matching Client Certificate Was Found Using: $issuer_dn"
reject
}
}
}
when HTTP_REQUEST {
foreach header_name [HTTP::header names] {
if {[string match -nocase x-client-cert $header_name]}{
HTTP::header remove $header_name
}
}
HTTP::header insert X-Client-Cert [b64encode [SSL::cert 0]]
}
I am leaving the full rule here, so if anyone need something similar, it can be used.