Forum Discussion
Mike_Maher
Mar 02, 2012Nimbostratus
TCL with iRule in v11.1
I have the following iRule that went through an upgrade from 10.2.0 to 11.1, and I now seeing some TCL errors. I am pretty sure it has to do with the way I am referencing the Data Group, but I am not sure how to resolve the issue. Any help is appreciated.
All logs are sent to /var/log/ltm
If the CN on the certificate or the Issuer changes, you can
add the new data under Data Group to either ExtQuotes_CN_List
or ExtQuotes_Issuer_List
when CLIENTSSL_CLIENTCERT {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
set inter_cert [X509::issuer [SSL::cert 0]]
log "Client Certificate Received: $inter_cert"
Check if the client certificate contains the correct CN and Issuer from Data Groups
if { ([matchclass $subject_dn contains $::ExtQuotes_CN_List])
and ([matchclass $inter_cert contains $::ExtQuotes_Issuer_List])} {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "No Matching Client Certificate or Issuer Was Found Using: $subject_dn or $inter_cert"
reject
}
}
Here is the error
TCL Error: /Common/ExtQuotes_Client_Cert_Auth - Can't Read "::ExtQuotes_CN_List" : no such variable while executing "matchclass $subject_dn contains $::ExtQuotes_CN_List"
- hooleylistCirrostratusHi Mike,
- Mike_MaherNimbostratusAaron,
- Misty_SpillersNimbostratusI'm bumping this because I have the same question. In my case I'm going from 9.4.4 to 11.1 and I'm thinking this iRule is going to give me issues. I see a lot of examples going to version 10 not too many for 11, I don't know if its different.
- Mike_MaherNimbostratusAaron,
- hooleylistCirrostratusHi Mike,
All logs are sent to /var/log/ltm If the CN on the certificate or the Issuer changes, you can add the new data under Data Group to either ExtQuotes_CN_List or ExtQuotes_Issuer_List when HTTP_REQUEST { Log debug to /var/log/ltm? 1=yes, 0=no set cc_debug 1 Track whether we found a valid client cert set redirect 0 Check if the client presented a cert for this session if {[SSL::cert count] == 0}{ set redirect 1 set reason "No client certificate found" } else { Verify the cert properties (dates, etc) are valid https://devcentral.f5.com/wiki/iRules.SSL__verify_result.ashx if {[SSL::verify_result] != 0}{ set redirect 1 set reason "[X509::verify_cert_error_string [SSL::verify_result]]" } else { Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set cert_subject_dn [X509::subject [SSL::cert 0]] if {$cc_debug}{log "Parsed subject: $cert_subject_dn"} set cert_issuer_dn [X509::issuer [SSL::cert 0]] if {$cc_debug}{log "Parsed issuer: $cert_issuer_dn"} Check if the client certificate contains the correct CN the data group if { [class match $cert_subject_dn contains ExtQuotes_CN_List] }{ Client cert subject is valid if {$cc_debug}{log "Client certificate subject: $cert_subject_dn"} Check if the client certificate contains the correct Issuer from the data group if { [class match $cert_issuer_dn contains ExtQuotes_Issuer_List] } { Client cert subject is valid if {$cc_debug}{log "Client certificate subject is valid: $cert_subject_dn"} } else { Client cert issuer is not valid if {$cc_debug}{log "Client certificate issuer not valid: $cert_issuer_dn"} set reason "Invalid issuer: $cert_issuer_dn" } } else { Client cert subject is not valid if {$cc_debug}{log "Client certificate subject not valid: $cert_subject_dn"} set reason "Invalid subject: $cert_subject_dn" } } } if {$redirect}{ if {$cc_debug}{log "No matching Client Certificate or Issuer Was Found Using: $cert_subject_dn or $cert_issuer_dn"} Reject the connection reject Or send a redirect to a remediation URL HTTP::redirect "https://fixyourcert.example.com/reason=[URI::encode $reason]" TCP::close } }
- hooleylistCirrostratusHi Misty,
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10 ] or [class match [IP::client_addr] equals ext_net ] } { pool ssh } else { discard } }
- Mike_MaherNimbostratusThanks Aaron, I will report back on how this work.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects