For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ben_Wilson_2412's avatar
Ben_Wilson_2412
Icon for Cirrus rankCirrus
Feb 08, 2010

X509::subject verification

Hi, We are doing our first B2B web service using client and server SSL authentication. I can see the "require" option on the client SSL profile, but no way to specify that only certa...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 08, 2010
Hi Ben,

 

 

You can also use a trusted CA cert in the client SSL profile to ensure the client cert is valid against the specific CA cert your clients have been given certs with.

 

 

matchclass (Click here) is for comparing a string or other token against a class (aka datagroup in the GUI). To validate the subject DN, you can use a string comparisons like:

 

 

string match -nocase *.example.com $subject_dn

 

 

or:

 

 

[string tolower $subject_dn] ends_with ".example.com"

 

 

You can also use a trusted CA cert in the client SSL profile and then check the SSL::verify_result Click here to check whether the cert was verified against the trusted CA cert(s).

 

 

Aaron