Forum Discussion
chin_15339
Nimbostratus
Nimbostratusredirect irule when an client certificate is missing
there are two parts to the requirement 1: when the Cert is missing the redirect should be /certnotavailable - this part is not working. 2: when a cert CN:X then redirect should be /X and when CN:Y redirect should be /Y this is working fine.
Below is the Irule :
when RULE_INIT {
set static::debug 1
}
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
if { $subject_dn != "" }{
if { $static::debug }{ log "Client Certificate received: $subject_dn"}
}
}
when CLIENTSSL_HANDSHAKE {
if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0} }
when HTTP_REQUEST {
switch -glob -- $subject_dn {
"*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
"*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
"*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
default {HTTP::redirect "/Certmissing.html"}
}
}
Your iRule fails because the variable
doesn't exists when the client doesn't send a client certificate. This iRule should work:$subject_dnwhen RULE_INIT { set static::debug 1 } when CLIENTSSL_CLIENTCERT { set subject_dn [X509::subject [SSL::cert 0]] if { $subject_dn != "" }{ if { $static::debug }{ log "Client Certificate received: $subject_dn"} } } when CLIENTSSL_HANDSHAKE { if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0} } when HTTP_REQUEST { if {[info exists subject_dn]} { switch -glob -- $subject_dn { "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"} "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"} "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"} } } else { HTTP::redirect "/Certmissing.html" } }
