Forum Discussion
ebrc
Nimbostratus
NimbostratusReject connections with no extention keyusage in client certificate
Good morning everyone!
One of our client is asking me to be able to block all connections where the client certificate does not contain the keyusage extention.
I found this link which i...
youssef1
Cumulonimbus
CumulonimbusHi Guys,
Simple example from devcentral:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"
foreach item [split [X509::extensions [SSL::cert 0]] \n] {
log local0. "Extension: $item"
}
}
Output:
Client cert extensions - X509v3 Extended Key Usage: TLS Web Client Authentication
Extension: X509v3 extensions:
Extension: X509v3 Extended Key Usage:
Extension: TLS Web Client Authentication
or
Extension: Client cert extensions - (no extensions)
You can test this simple irule:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"
if { !([X509::extensions $client_cert] contains "TLS Web Client Authentication") } {
reject
}
}
