iRule to require client certificate and validate it

hi,

 

 

I have just checked that this version (below) is able to compile on F5:

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/pattern" } {

 

HTTP::collect

 

SSL::cert mode require

 

SSL::renegotiate

 

set ssl_cert [SSL::cert 0]

 

set isMatch 0

 

set org "Company name"

 

set locality "Warszawa"

 

set name "www.f5.net"

 

set country "PL"

 

set issorg "“Thawte Consulting (Pty) Ltd."

 

set isscn "Thawte SGC C"

 

set issctr "Us"

 

set subject_dn [X509::subject $ssl_cert]

 

set issuer_dn [X509::issuer $ssl_cert]

 

log "Client Certificate Received: $subject_dn, $issuer_dn"

 

 

if { [$subject_dn matches $org] and [$subject_dn matches $locality] and [$subject_dn matches $name] and [$subject_dn matches $country] and [$issuer_dn matches $issorg] and [$issuer_dn matches $isscn] and [$issuer_dn matches $issctr] } {

 

log "Client Certificate Accepted: $subject_dn, $issuer_dn"

 

set isMatch 1

 

pool TestSSL

 

}

 

if { $isMatch == 0 }{

 

log "No Matching Client Certificate Was Found Using: $subject_dn"

 

reject

 

}

 

}

 

else {

 

pool TEST

 

}

 

}

 

 

 

but question is:

 

I want that script to:

 

 

1. check for each HTTP connection the URI if it starts with "/pattern"

 

2. if pattern match require client certificate

 

3. if client has certificate check the specified record from X.509 cert

 

 

I have limited possibilities and not much time to test it on F5, thus I would like to prepare the script as good as possible to decrease number of iteration during test phase.

 

 

and the question is if someone more experienced in scripting could tell if this script has a chances to work as planned.