For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

chin_15339's avatar
chin_15339
Icon for Nimbostratus rankNimbostratus
May 01, 2017

redirect irule when an client certificate is missing

there are two parts to the requirement 1: when the Cert is missing the redirect should be /certnotavailable - this part is not working. 2: when a cert CN:X then redirect should be /X and when CN:Y re...
application delivery
iRules
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
May 05, 2017

Your iRule fails because the variable 

$subject_dn
doesn't exists when the client doesn't send a client certificate. This iRule should work:

when RULE_INIT {
    set static::debug 1
}

when CLIENTSSL_CLIENTCERT {
    set subject_dn [X509::subject [SSL::cert 0]] 
    if { $subject_dn != "" }{
        if { $static::debug }{ log "Client Certificate received: $subject_dn"}
    }
}

when CLIENTSSL_HANDSHAKE {
    if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0}
}

when HTTP_REQUEST {
    if {[info exists subject_dn]} {
        switch -glob -- $subject_dn {
            "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
            "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
            "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
        }
    }
    else {
        HTTP::redirect "/Certmissing.html"
    }
}