Forum Discussion

mikegray_198028

Cirrus

Sep 15, 2016

wild card CN validation.

Hello, I am looking for a solution to validate wild card CN from client authentication certificate. ex: CN=.dev.test.com CN=_dev.test.com Is there any vay to validate this using Iru...

MVP

Sep 16, 2016

Hi Mike,

you may use the iRule as a starting point...

when RULE_INIT {
   set static::cn_wildcard ".dev.test.com _dev.test.com"
}
when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert 0] eq "" } then {
        log local0.debug "A valid certificate is not present"
        reject
    } else {
        log local0.debug "A valid certificate is present"
        log local0.debug "DN=[X509::subject [SSL::cert 0]]"
        set subject_cn [getfield [X509::subject [SSL::cert 0]] "CN=" 2]
        log local0.debug "CN=$subject_cn"
        set wildcard_match 0
        foreach wildcard $static::cn_wildcard {
            if { $subject_cn ends_with $wildcard } then {
                log local0.debug "CN=$subject_cn matches Wildcard=$wildcard"
                set wildcard_match 1
                break
            } else {
                log local0.debug "CN=$subject_cn does not match Wildcard=$wildcard"
            }
        }
        if { $wildcard_match } then {
             Allow the request
        } else {
            reject
        }       
    }
}

Note: I've not tested the iRule. Its just a quick writeup. So report back if you experience any problems with the code...

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)