Forum Discussion
ekanathdas_2662
Nimbostratus
NimbostratusWe need to create an iRule that can verify client's certificate by checking the Subject line contains "CN=ABCD".
Hi team,
I was looking out for an irule which can check client's certificate by checking the Subject line if it contains "CN=ABCD".
I had referred to the below site:
https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx
But in this case its not for the same org.
Any help is appreciated.
Thanks,
Ekanath
5 Replies
ekanathdas_2662Should the below work?
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject [X509::subject $cert]
set clientIP [IP::client_addr]
if { $subject contains "CN=ABCD.com" } {
pool abcd } {
log local0. "cert CN valid" }
else {
log $clientIP
log local0. "cert CN not valid"
reject
}
}
hoolioCirrostratus
That looks good. Make sure to check that there is a cert before trying to parse it as you'll get a runtime error and TCP reset if you don't and the client doesn't present a client cert in the handshake.when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0}{ set cert [SSL::cert 0] set subject [string tolower [X509::subject $cert]] set clientIP [IP::client_addr] if { $subject contains "cn=abcd.com" } { pool abcd } { log local0. "cert CN valid" } else { log $clientIP log local0. "cert CN not valid" reject } } }
Aaron- ekanathdas_2662Thanks Aaron, a lot.
- ekanathdas_2662Upon accessing the site with a valid cert, the client machine never makes to the site. Looks like the packets are dropped during the negotiation. Anything more I need to edit in the irule.
in /var/log/ltm , the logs shows that its a valid CN.
Thanks,
Ekanath - ekanathdas_2662Please ignore my previous posting on 06/07/2012 08:49 PM
