Forum Discussion
mikegray_198028
Cirrus
Sep 15, 2016wild card CN validation.
Hello,
I am looking for a solution to validate wild card CN from client authentication certificate.
ex: CN=.dev.test.com
CN=_dev.test.com Is there any vay to validate this using Iru...
Kai_Wilke
MVP
Sep 16, 2016Hi Mike,
you may use the iRule as a starting point...
when RULE_INIT {
set static::cn_wildcard ".dev.test.com _dev.test.com"
}
when CLIENTSSL_CLIENTCERT {
if { [SSL::cert 0] eq "" } then {
log local0.debug "A valid certificate is not present"
reject
} else {
log local0.debug "A valid certificate is present"
log local0.debug "DN=[X509::subject [SSL::cert 0]]"
set subject_cn [getfield [X509::subject [SSL::cert 0]] "CN=" 2]
log local0.debug "CN=$subject_cn"
set wildcard_match 0
foreach wildcard $static::cn_wildcard {
if { $subject_cn ends_with $wildcard } then {
log local0.debug "CN=$subject_cn matches Wildcard=$wildcard"
set wildcard_match 1
break
} else {
log local0.debug "CN=$subject_cn does not match Wildcard=$wildcard"
}
}
if { $wildcard_match } then {
Allow the request
} else {
reject
}
}
}Note: I've not tested the iRule. Its just a quick writeup. So report back if you experience any problems with the code...
Cheers, Kai
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects