Forum Discussion
Ben_Wilson_2412
Cirrus
CirrusX509::subject verification
Hi,
We are doing our first B2B web service using client and server SSL authentication.
I can see the "require" option on the client SSL profile, but no way to specify that only certain client certs are allowed to connect (dev.company.com is allowed, but prod1.company.com is not). After talking to support, iRules seems to be the way to do this with F5 LTM.
There is a good example of I think we need to do here: http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html, though it seems a little outdated as it mentions the pre-BIGIP-9.3.0 syntax for X509::subject.
Is the "matchclass" method the best way to validate the CN?
Would I need to check the date on the cert, or will the profile enforce it?
The cert CN is a wildcard, any caveats with this type of cert?
Here's what I'm thinking of using:
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
if { [matchclass $subject_dn contains '*.fakedomain.com']} {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "Invalid Client Certificate Was Found Using: $subject_dn"
reject
}
}
hoolioCirrostratus
Hi Ben,
You can also use a trusted CA cert in the client SSL profile to ensure the client cert is valid against the specific CA cert your clients have been given certs with.
matchclass (Click here) is for comparing a string or other token against a class (aka datagroup in the GUI). To validate the subject DN, you can use a string comparisons like:
string match -nocase *.example.com $subject_dn
or:
[string tolower $subject_dn] ends_with ".example.com"
You can also use a trusted CA cert in the client SSL profile and then check the SSL::verify_result Click here to check whether the cert was verified against the trusted CA cert(s).
Aaron
Ben_Wilson_2412Hi Aaron,
Thanks for the reply.
Looks like combining the verify_result and string match should do what we need.
Thanks again!
Ben