Forum Discussion
Mike_Breeden_62
Nimbostratus
NimbostratusSSL Client Irule Verification
We are having an issue I thinkg with this IRULE. It checks to see if client cert serial number matches and if it does it will allow traffic to pass. We know the serial numbers match however it logs that No Matching cert was found. Can someone take a look at the IRule to see if anything needs to be changed.
Output in the logs:
13:19:22 LTM info tmm5[9705]: 01220002:6: Rule /Common/Sharepoint_ClientAuth : Client Certificate Received: 35:f3:82:5a:5f:29:c3:ee Feb 5 13:19:22 LTM info tmm5[9705]: 01220002:6: Rule /Common/Sharepoint_ClientAuth : No Matching Client Certificate Was Found Using: 35:f3:82:5a:5f:29:c3:ee
IRULE:
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
set subject_sn [X509::serial_number [SSL::cert 0]]
log "Client Certificate Received: $subject_sn"
Check if the client certificate contains the correct serial_number
if {$subject_sn equals "<u+200e>35:f3:82:5a:5f:29:c3:ee"} {
Accept the client cert
log "Client Certificate Accepted: $subject_sn"
} else {
log "No Matching Client Certificate Was Found Using: $subject_sn"
reject
}
}
}
Brad_ParkerCirrus
Forgive me if this is out of line, but have you thought about just using the client authentication part of the client ssl profile? You can set it to require a client cert which will satisfy you reject statement. Then set the certificate you are using(or its issuer) as the "Trusted Certificate Authorities".
With that said, in theory your iRule looks like it should work. You may try to make sure what you are comparing is the same case by using this:
set subject_sn [string tolower [X509::serial_number [SSL::cert 0]]]And you could try putting "<u+200e>35:f3:82:5a:5f:29:c3:ee" in brackets, <u+200e>{35:f3:82:5a:5f:29:c3:ee} to rule out special evaluation of the ":".
cmiller_177832Were you able to get this to work? I need to create a iRule that can verify up against several Certificate Serial numbers. Would you happen to know how to do this?- Kai_Wilke
MVP
Hi Cmiller,
the iRule should work fine. The problem of the OP is that the hardcoded serial number of "35:f3:82:5a:5f:29:c3:ee" contains the non-printable character sequence of %e2%80%8e (for whatever reason).
So basically his iRule compares visibly...
"35:f3:82:5a:5f:29:c3:ee" "35:f3:82:5a:5f:29:c3:ee"
... but the [if] command compares ...
%22%33%35%3a%66%33%3a%38%32%3a%35%61%3a%35%66%3a%32%39%3a%63%33%3a%65%65%22 %22%e2%80%8e%33%35%3a%66%33%3a%38%32%3a%35%61%3a%35%66%3a%32%39%3a%63%33%3a%65%65%22
... which is not "equals"
Note: Copy and paste the serial number of the original post (including "") into notepad and you'll notice the added character by skipping through each single char. At the beginning it will take two hits to move to the next character...
Cheers, Kai
AK_164512i was facing the same issue, try with
if {$subject_sn contains "35:f3:82:5a:5f:29:c3:ee"}
