Forum Discussion

ciscoarc's avatar
ciscoarc
Icon for Nimbostratus rankNimbostratus
May 29, 2018

Verifying CN received (client auth)

Hi guys,

I'm trying to verify client auth certificate and using this iRule, but from the logs I can see it's always Accepted even though my trusted_certs only has 1 CN;

i.e: my trusted_certs is "CN" = "3456.mycompany.com" ;

But even if I send 1234.mycompany.com it still says Client Certificate Accepted:CN=1234.mycompany.com

when CLIENTSSL_CLIENTCERT {
if { [SSL::cert count] != 0 }{
    set cert [SSL::cert 0]
    set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 0 ","]
    log "Client Certificate Received: $subject_dn"
}

if { ([matchclass $subject_dn contains trusted_certs]) } {
    log "Client Certificate Accepted: $subject_dn"
    } else {
        log "No Matching Client Certificate Was Found Using: $subject_dn"
        reject
    }
}
application delivery
iRules
  • ciscoarc's avatar
    ciscoarc
    Icon for Nimbostratus rankNimbostratus
    May 29, 2018

    Hi Blakely,

     

    Yeah I tested that too. Still the same (I better change my code snippet, as I know matchclass uses the $:: object)

     

    and the data group is there..

     

  • ciscoarc's avatar
    ciscoarc
    Icon for Nimbostratus rankNimbostratus
    May 29, 2018

     

    I can't seem to include any arguments after data-group

     

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    May 29, 2018

    It's an external file, so you can't list the contents. Try:

    cat /config/filestore/files_d/Common_d/data_group_d/\:Common\:trusted_certs*
  • ciscoarc's avatar
    ciscoarc
    Icon for Nimbostratus rankNimbostratus
    May 29, 2018

    Apologies, due to organization rule, I can't divulge the full CN.

    The trusted_certs only contains 1 single line as above. So I created a self-signed cert and key using openssl and send it to the Virtual Server with command:

    openssl -s_client -connect host:port -cert 1234.mycompany.com -key 1234.mycompany.com

    This is what I see from F5 logs:

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    May 29, 2018

    I think what is happening is:

     

    The way you created your datagroup has created a datagroup element with a name of "CN" and a value of "3456.xxxx.yyyy.zzz".

     

    Your extraction from the certificate is CN=1234.xxxx.yyyy.zzz

     

    So the contains match is for "CN", and will always match. You can create your datagroup without the CN= element at all, or specify the -value specifier to match on the values.