Validate Certificate Common Name and Revocation Status
Problem this snippet solves:
If you are using the same CA to isssue client certificates to provide secure access to multiple applications and you want to restrict which applications can be accessed with each certificate, this iRule enables you to restrict access by verifying that the certificate CN matches the FQDN for the application.
The iRule also allows you to revoke a certificate by using the SN for the revoked certificate.
Note: this example doesn't validate that the certificate is verified, so a self signed cert with the proper common name would pass this check. This iRule should be rewritten with verification using the SSL::verify_result command.
Code :
#get certificate data when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set sn [X509::serial_number $cert] set subject [X509::subject $cert] set issuer [X509::issuer $cert] set version [X509::version $cert] set clientIP [IP::client_addr] #check SN to see if certificate is revocked if { $sn contains "62 $sn contains "66 log $clientIP log local0. "cert SN revoked" reject } #check Certificate common name to see if it contains the FQDN for Virtual server if { $subject contains "CN=will.rlg" } { # uncomment the line below to validate that the iRule is accepting a valid certificate # log local0. "cert CN valid" } else { #if the certificate is not valid log client IP and reject connection log $clientIP log local0. "cert CN not valid" reject } }
Published Mar 18, 2015
Version 1.0CodeCentral_194
Cirrus
Joined May 05, 2019
CodeCentral_194
Cirrus
Joined May 05, 2019
No CommentsBe the first to comment