Forum Discussion
NimbostratusPassing a variable through an iRule
How can I pass the $domain variable to the portion when CLIENTSSL_CLIENTCERT is running? Most of my work is being done during CLIENTSSL_CLIENTCERT but I would like to import the HTTP::host value.
`when HTTP_REQUEST {
set domain [HTTP::host]
}
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
set clientIP [IP::client_addr]
log local0. $sn
log local0. $issuer
log local0. $subject
log local0. $version
if { [ class match $sn equals $domain ] ||
[ class match $subject equals $domain ]
} {
log $clientIP
log local0. "CN and Serial valid"
}
else {
log $clientIP
log local0. "cert CN or Serial not valid"
reject
}
}
2 Replies
Michael_JenkinsCirrostratus
Well, using
denotes a global variable, which you wouldn't want because it's not specific to your current request/session.::On a broader note, if you take a look at this page, part way down where the flowchart is, you can see that the
event happens before theCLIENTSSL_CLIENTCERT
event, so you won't be able to get the hostname prior to that event.HTTP_REQUESTYou might check out TLS Server Name Indication if you really want the domain in that section. Haven't played with it, but it might be worth a look.
yoni_100721Thanks for the info, I figured since clientssl_clientcert happens before HTTP_request I may not be able to get that until that phase but wanted to make sure I was on the right track.
I ended up using the X509::subject along with trim functions to trim out the CN which is the same value in my case as the http::host.
I started to look at TLS Server Name Indication and it might provide that ability but I haven't got that far with that.
