Forum Discussion

ekanathdas_2662's avatar
ekanathdas_2662
Icon for Nimbostratus rankNimbostratus
May 07, 2012

We need to create an iRule that can verify client's certificate by checking the Subject line contains "CN=ABCD".

Hi team,

I was looking out for an irule which can check client's certificate by checking the Subject line if it contains "CN=ABCD".

 

 

 

I had referred to the below site:

 

https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx

 

 

 

But in this case its not for the same org.

 

 

 

Any help is appreciated.

 

 

 

Thanks,

 

Ekanath

 

  • Should the below work?

     

     

    when CLIENTSSL_CLIENTCERT {

     

    set cert [SSL::cert 0]

     

    set subject [X509::subject $cert]

     

    set clientIP [IP::client_addr]

     

     

    if { $subject contains "CN=ABCD.com" } {

     

    pool abcd } {

     

    log local0. "cert CN valid" }

     

    else {

     

    log $clientIP

     

    log local0. "cert CN not valid"

     

    reject

     

    }

     

    }

     

     

  • That looks good. Make sure to check that there is a cert before trying to parse it as you'll get a runtime error and TCP reset if you don't and the client doesn't present a client cert in the handshake.

    when CLIENTSSL_CLIENTCERT {
    
    if {[SSL::cert count] > 0}{
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    set clientIP [IP::client_addr]
    if { $subject contains "cn=abcd.com" } {
    pool abcd } {
    log local0. "cert CN valid" }
    else {
    log $clientIP
    log local0. "cert CN not valid"
    reject
    }
    }
    }
    

    Aaron
  • Upon accessing the site with a valid cert, the client machine never makes to the site. Looks like the packets are dropped during the negotiation. Anything more I need to edit in the irule.

     

     

    in /var/log/ltm , the logs shows that its a valid CN.

     

     

    Thanks,

     

    Ekanath