Selective Client Cert Authentication
SSL encryption on the web is not a new concept to the general population of the internet. Those of us that frequent many websites per week (day, hour, minute, etc.) are quite used to making use of SS...
Published May 13, 2008
Version 1.0
Peter_Z
Cirrus
CirrusHello, I need to build similar principle (request client cert) for selected URLs, but with one more additional condition: once client certificate is sent, I only want to allow clients with which belong to specific OU or comes from specific source IP.
It seems I cannot make it work.
I see the following error in ltm log:
TCL error: /Common/https_vip <HTTP_REQUEST> - Error using <Certificate> (line 14) invoked from within "X509::subject [SSL::cert 0]" ("/test1/*" arm line 9) invoked from within "switch -glob $uri { "/test1/*" { if { [SSL::cert count] <= 0 } { HTTP::collect SSL::authenticate alwa..."
iRule
when CLIENTSSL_CLIENTCERT {
# release any stored data just in case
HTTP::release
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST {
set uri [HTTP::uri]
switch -glob $uri {
"/test1/*" {
if { [SSL::cert count] <= 0 } {
HTTP::collect
SSL::authenticate always
SSL::authenticate depth 10
SSL::cert mode require
SSL::renegotiate
set cert_subject [X509::subject [SSL::cert 0]]
set cert_issuer [X509::issuer [SSL::cert 0]]
if { ($cert_subject contains "OU=Department1") || (($cert_subject contains "OU=Department2") && ($cert_subject contains "OU=PROD")) || ( [IP::addr [getfield [IP::client_addr] "%" 1] equals 192.168.20.1 ] ) } {
pool pool1
} else {
reject
}
}
}
}
}
when HTTP_REQUEST_SEND {
clientside {
# if there is a client side cert base64 encode it and inject it in the header
if { [SSL::cert count] > 0 } {
#log local0. "CLIENT CERT SUBJECT: [X509::subject [SSL::cert 0]]"
HTTP::header insert "X-SSL-Session-ID" [SSL::sessionid]
HTTP::header insert "X-SSL-Client-Cert-Status" [X509::verify_cert_error_string [SSL::verify_result]]
HTTP::header insert "X-SSL-Client-Cert-Subject" [X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Client-Cert-Issuer" [X509::issuer [SSL::cert 0]]
}
}
}