Selective Client Cert Authentication
Published May 13, 2008
Version 1.0Was this article helpful?
Hello, I need to build similar principle (request client cert) for selected URLs, but with one more additional condition: once client certificate is sent, I only want to allow clients with which belong to specific OU or comes from specific source IP.
It seems I cannot make it work.
I see the following error in ltm log:
TCL error: /Common/https_vip <HTTP_REQUEST> - Error using <Certificate> (line 14) invoked from within "X509::subject [SSL::cert 0]" ("/test1/*" arm line 9) invoked from within "switch -glob $uri { "/test1/*" { if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate alwa..."
iRule
when CLIENTSSL_CLIENTCERT {
# release any stored data just in case
HTTP::release
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
set uri [HTTP::uri]
switch -glob $uri {
"/test1/*" {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 10
SSL::cert mode require
SSL::renegotiate
set cert_subject [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
if { ($cert_subject contains "OU=Department1") || (($cert_subject contains "OU=Department2") && ($cert_subject contains "OU=PROD")) || ( [IP::addr [getfield [IP::client_addr] "%" 1] equals 192.168.20.1 ] ) } {
pool pool1
} else {
reject
}
}
}
}
}
when HTTP_REQUEST_SEND {
clientside {
# if there is a client side cert base64 encode it and inject it in the header
if { [SSL::cert count] > 0 } {
#log local0. "CLIENT CERT SUBJECT: [X509::subject [SSL::cert 0]]"
HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]]
}
}
}