Forum Discussion

SebScott's avatar
SebScott
Icon for Nimbostratus rankNimbostratus
Sep 08, 2024

Re-execute iRule to read CN value of client cert, but after you know URI.

Hi We have been dealing with a new implementation where we need to either accept or reject access to a certain path/URI of a VIP based on the CN of the client cert.........and for other paths that ei...
application delivery
irule
mtls
security
SebScott's avatar
SebScott
Icon for Nimbostratus rankNimbostratus
Sep 10, 2024

Thanks I will try that tomorrow and let you know.

 

I think I may need to add the following to get an alternative client profile to ask for the client cert though.  Is that right?

.......

        # Redirect to a special URI that will prompt for a client certificate
        HTTP::redirect "/require-cert$httpUri"

    SSL::session invalidate
    SSL::authenticate always
    SSL::authenticate depth 9
    SSL::cert mode require
    set cmd "SSL::profile /Common/ClientSSL-RequireCert-Profile"
    SSL::renegotiate

return

........

  • SebScott's avatar
    SebScott
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2024

    Hi.

    I did try this method, but got hit with a few little snags that I think are telling me I can't run these HTTP commands in the CLIENTSSL_CLIENTCERT event.  Although the last line suggests I have not got the syntax right for the variable, which I could fix it is the first 3 lines that suggest I can't make this work because they need to be in the HTTP_REQUEST event, is that correct?

     

     

     

    I am going to try and fire off a subroutine(Proc) to re-initiate the the ssl negotiation against  different client SSL profile and then execute another Irule to trigger the CLIENT_SSL event and subsequent HHTP_REQUEST event which all seems very complicated so open to other simpler suggestions like this previous one from susan789wolf that showed real promise in the simpler logic

     [command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::redirect $original_uri]
/Common/API-CNCheck-New-v2:53: error: [command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::uri]
/Common/API-CNCheck-New-v2:51: error: [command is not valid in current event context (CLIENTSSL_CLIENTCERT)][HTTP::uri]
/Common/API-CNCheck-New-v2:3: error: [wrong # args][set static::client_cert_required "/BlahBlah" "/YadaYada/*"]