Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Mar 02, 2012

TCL with iRule in v11.1

I have the following iRule that went through an upgrade from 10.2.0 to 11.1, and I now seeing some TCL errors. I am pretty sure it has to do with the way I am referencing the Data Group, but I am not...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Mar 09, 2012
Hi Mike,

In 10.1, TMM stores the client's cert details in the SSL session cache:

https://devcentral.f5.com/wiki/iRules.ssl__cert.ashx

Note: As of 10.1.0, as described in CR116806, the following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:

* SSL::cert

* SSL::cert issuer

* SSL::cert count

Here's an untested example of what I'm thinking you could try: 


All logs are sent to /var/log/ltm

If the CN on the certificate or the Issuer changes, you can
add the new data under Data Group to either ExtQuotes_CN_List
or ExtQuotes_Issuer_List

when HTTP_REQUEST {

 Log debug to /var/log/ltm? 1=yes, 0=no
set cc_debug 1

 Track whether we found a valid client cert
set redirect 0

 Check if the client presented a cert for this session
if {[SSL::cert count] == 0}{
set redirect 1
set reason "No client certificate found"
} else {

 Verify the cert properties (dates, etc) are valid
 https://devcentral.f5.com/wiki/iRules.SSL__verify_result.ashx
if {[SSL::verify_result] != 0}{

set redirect 1
set reason "[X509::verify_cert_error_string [SSL::verify_result]]"

} else {

Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set cert_subject_dn [X509::subject [SSL::cert 0]]
if {$cc_debug}{log "Parsed subject: $cert_subject_dn"}

set cert_issuer_dn [X509::issuer [SSL::cert 0]]
if {$cc_debug}{log "Parsed issuer: $cert_issuer_dn"}

Check if the client certificate contains the correct CN the data group
if { [class match $cert_subject_dn contains ExtQuotes_CN_List] }{

 Client cert subject is valid
if {$cc_debug}{log "Client certificate subject: $cert_subject_dn"}

 Check if the client certificate contains the correct Issuer from the data group
if { [class match $cert_issuer_dn contains ExtQuotes_Issuer_List] } {

 Client cert subject is valid
if {$cc_debug}{log "Client certificate subject is valid: $cert_subject_dn"}

} else {
 Client cert issuer is not valid
if {$cc_debug}{log "Client certificate issuer not valid: $cert_issuer_dn"}
set reason "Invalid issuer: $cert_issuer_dn"
}
} else {
 Client cert subject is not valid
if {$cc_debug}{log "Client certificate subject not valid: $cert_subject_dn"}
set reason "Invalid subject: $cert_subject_dn"
}
}
}
if {$redirect}{
if {$cc_debug}{log "No matching Client Certificate or Issuer Was Found Using: $cert_subject_dn or $cert_issuer_dn"}
 Reject the connection
reject

 Or send a redirect to a remediation URL
HTTP::redirect "https://fixyourcert.example.com/reason=[URI::encode $reason]"
TCP::close
}
}

If you use the HTTP::redirect to send the client to a separate page which explains why their request was rejected, make sure that you HTML encode any data you display back to the client to avoid any XSS vulnerabilities. You could also send a response with content directly from the iRule using HTTP::respond instead of a redirect.

If you test this could you let me know how it goes? If it works, I'll add it to the codeshare.

Thanks, Aaron