Forum Discussion
RobW
Nimbostratus
NimbostratusX509 subject reorder and subsitution
I have a pool of servers with an application that expect to be presented with the X509 subject in the following manner.
Alteon/Nortel -
X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604"
We are currently migrating to the LTMS
The iRule I currently have presents the X509 subject in the following manner.
X-SSL: CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 600
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
HTTP::header insert X-SSL [X509::subject $client_cert]
}
}
I have been asked to reformat the data sting, X509 subject, to match
what the Alteons sent.
X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604"
My attemps to split and reoder the data have failed. Any help is appreciated.
list elements 0 1 2 3 4 5 need to be reorder 5 4 3 2 1 0 and then I need to insert forward slash as a seperator.
when CLIENTSSL_CLIENTCERT {
set cert [ SSL::cert 0 ]
session add ssl [ SSL::sessionid ] $cert 600
}
when HTTP_REQUEST {
set client_cert [ split [ session lookup ssl [ SSL::sessionid ] ] "," ]
set client_cert_subject [ lindex $client_cert ]
set peersubject "peersubject="
set X509_subject [lindex [ split $client_cert "," ] 5 4 3 2 1 0]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
HTTP::header insert X-SSL [ X509::subject $peersubject"$client_cert" ]
}
}
Ultimate iRule goal X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604
-Rob
8 Replies
hoolioCirrostratus
In TCL 8.5, there is a lreverse command. As current versions of iRules use 8.4, you can adapt this example (Click hereπSet a test cert string set client_cert_orig {CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ} log local0. "\$client_cert_orig: $client_cert_orig" Split the cert string into a list set client_cert_list [split $client_cert_orig ","] log local0. "\$client_cert_list: $client_cert_list" Save the length of the list set i [llength $client_cert_list] Reset the value of a new string to save the client cert set client_cert "" Loop through the list while {$i > 0}{ Append the current list item to the string with a forward slash as the delineator append client_cert /[lindex $client_cert_list [incr i -1]] log local0. "\$client_cert: $client_cert" }
Here is the log output:Rule : $client_cert_orig: CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ Rule : $client_cert_list: CN=LN.FN.027060322604 OU=CONTRACTOR OU=PKI OU=PoP {O=T.Z. Corp} C=TZ Rule : $client_cert: /C=TZ Rule : $client_cert: /C=TZ/O=T.Z. Corp Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604
Aaron- RobWAaron,
Thanks for passing along this chunk of code. I just came across the lreverse command and was hoping that was the answer. Is v9.4.4 using TCL v8.4. Is there anyway check the TCL version via the CLI?
append client_cert /[lindex $client_cert_list [incr i -1]]
$client_cert = ""
append / plus the contents of the commands executed between the brackets starting at the inner most brackets.
$i = 6, increment $i by -1
lindex contain the list of elements that $client_cert_list points to.
So, lindex will list element 5, first. While $i > 0 continue processing the append statement until [incr i -1] $i = 0
At which point the elments have reversed and a list created in $client_cert
Very nice!
Thanks,
-Rob - hoolioI don't know of a way to determine the TCL version used on a particular BIG-IP version. As far as I'm aware, all versions use TCL v8.4. SOL6091 (Click here) states the exact version is 8.4.6. A quick way to confirm this would be to try using the lreverse command. You should see an error stating that the command name is invalid.
Aaron - All currently released versions of BIG-IP are still based on Tcl v8.4.6, so SOL6091 is correct.
- hoolioHi Spark, any idea if/when an upgrade to the TCL library is planned?
Aaron - We are currently planning on an update in a version slated for release towards the end of this year. This may change, of course, and I really can't comment on it more than that.
- hoolioThanks for the info, Spark.
I noticed you can get the TCL version using info tclversion:
log local0. "\[info tclversion\]: [info tclversion]"
Any chance a custom iRules option could be added like 'info iruleversion' or 'info bigipversion' to get the BIG-IP OS version?
Aaron 
EricMD_311576HI all,
this is all very nice but what if the registered cn or ou already have a ", " in de the name ? the list option does not work anymore. isn't there a more fancy way around this ?
