Forum Discussion

RobW's avatar
RobW
Icon for Nimbostratus rankNimbostratus
Apr 01, 2008

X509 subject reorder and subsitution

I have a pool of servers with an application that expect to be presented with the X509 subject in the following manner.

 

Alteon/Nortel -

 

X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604"

 

 

We are currently migrating to the LTMS

 

 

The iRule I currently have presents the X509 subject in the following manner.

 

 

X-SSL: CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

session add ssl [SSL::sessionid] $cert 600

 

}

 

when HTTP_REQUEST {

 

set client_cert [session lookup ssl [SSL::sessionid]]

 

 

if { $client_cert eq ""} {

 

SSL::renegotiate

 

} else {

 

HTTP::header insert X-SSL [X509::subject $client_cert]

 

}

 

}

 

 

I have been asked to reformat the data sting, X509 subject, to match

 

what the Alteons sent.

 

X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604"

 

 

My attemps to split and reoder the data have failed. Any help is appreciated.

 

 

list elements 0 1 2 3 4 5 need to be reorder 5 4 3 2 1 0 and then I need to insert forward slash as a seperator.

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [ SSL::cert 0 ]

 

session add ssl [ SSL::sessionid ] $cert 600

 

}

 

when HTTP_REQUEST {

 

set client_cert [ split [ session lookup ssl [ SSL::sessionid ] ] "," ]

 

set client_cert_subject [ lindex $client_cert ]

 

set peersubject "peersubject="

 

set X509_subject [lindex [ split $client_cert "," ] 5 4 3 2 1 0]

 

if { $client_cert eq ""} {

 

SSL::renegotiate

 

} else {

 

HTTP::header insert X-SSL [ X509::subject $peersubject"$client_cert" ]

 

}

 

}

 

 

Ultimate iRule goal X-SSL: peersubject="/C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604

 

 

-Rob
  • In TCL 8.5, there is a lreverse command. As current versions of iRules use 8.4, you can adapt this example (Click here😞

    
        Set a test cert string
       set client_cert_orig {CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ}
       log local0. "\$client_cert_orig: $client_cert_orig"
        Split the cert string into a list
       set client_cert_list [split $client_cert_orig ","]
       log local0. "\$client_cert_list: $client_cert_list"
        Save the length of the list
       set i [llength $client_cert_list]
        Reset the value of a new string to save the client cert
       set client_cert ""
        Loop through the list
       while {$i > 0}{
           Append the current list item to the string with a forward slash as the delineator
          append client_cert /[lindex $client_cert_list [incr i -1]]
          log local0. "\$client_cert: $client_cert"
       }

    Here is the log output:

    
     Rule : $client_cert_orig: CN=LN.FN.027060322604,OU=CONTRACTOR,OU=PKI,OU=PoP,O=T.Z. Corp,C=TZ
     Rule : $client_cert_list: CN=LN.FN.027060322604 OU=CONTRACTOR OU=PKI OU=PoP {O=T.Z. Corp} C=TZ
     Rule : $client_cert: /C=TZ
     Rule : $client_cert: /C=TZ/O=T.Z. Corp
     Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP
     Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI
     Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR
     Rule : $client_cert: /C=TZ/O=T.Z. Corp/OU=PoP/OU=PKI/OU=CONTRACTOR/CN=LN.FN.027060322604

    Aaron
  • RobW's avatar
    RobW
    Icon for Nimbostratus rankNimbostratus
    Aaron,

     

     

    Thanks for passing along this chunk of code. I just came across the lreverse command and was hoping that was the answer. Is v9.4.4 using TCL v8.4. Is there anyway check the TCL version via the CLI?

     

     

    append client_cert /[lindex $client_cert_list [incr i -1]]

     

     

    $client_cert = ""

     

    append / plus the contents of the commands executed between the brackets starting at the inner most brackets.

     

    $i = 6, increment $i by -1

     

    lindex contain the list of elements that $client_cert_list points to.

     

    So, lindex will list element 5, first. While $i > 0 continue processing the append statement until [incr i -1] $i = 0

     

    At which point the elments have reversed and a list created in $client_cert

     

     

    Very nice!

     

     

    Thanks,

     

    -Rob
  • I don't know of a way to determine the TCL version used on a particular BIG-IP version. As far as I'm aware, all versions use TCL v8.4. SOL6091 (Click here) states the exact version is 8.4.6. A quick way to confirm this would be to try using the lreverse command. You should see an error stating that the command name is invalid.

     

     

    Aaron
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    All currently released versions of BIG-IP are still based on Tcl v8.4.6, so SOL6091 is correct.
  • Hi Spark, any idea if/when an upgrade to the TCL library is planned?

     

     

    Aaron
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    We are currently planning on an update in a version slated for release towards the end of this year. This may change, of course, and I really can't comment on it more than that.
  • Thanks for the info, Spark.

     

     

    I noticed you can get the TCL version using info tclversion:

     

     

    log local0. "\[info tclversion\]: [info tclversion]"

     

     

    Any chance a custom iRules option could be added like 'info iruleversion' or 'info bigipversion' to get the BIG-IP OS version?

     

     

    Aaron
  • HI all,

     

    this is all very nice but what if the registered cn or ou already have a ", " in de the name ? the list option does not work anymore. isn't there a more fancy way around this ?