TIm_Maestas
Apr 06, 2005Nimbostratus
SSL cert verify TCL error?
I have the following iRule:
when CLIENTSSL_HANDSHAKE {
set cert [SSL::cert 0 ]
}
when HTTP_REQUEST {
set stuff [X509::subject $cert ]
if { [matchclass $stuff contains $::merlin] } {
use pool test-sun }
else { reject }
}
The merlin class contains things like CN=validhost.company.com. When a host comes in presenting a client certificate with a valid CN everything works fine. When a host comes in without a matching CN in the merlin class, they get a page cannot be displayed error in IE, which is also fine. However, when a client comes in by typing the IP in their browser, which results in a pop-up window because the IP doesn't match the common name of the certificate, I get the following error logged to /var/log/ltm:
tmm tmm[5569]: 01220001:3: TCL error: Rule test - while executing "X509::subject $cert "
While this isn't necessarily a bad thing (because they should be coming in via the correct URL and not get any pop-up errors) it makes me think I've writte my rule incorrectly or should have done this differently. Is there a better way to do what I'm doing?