Forum Discussion
rcurr9999tcf_35
Nimbostratus
NimbostratusiRule to validate that the client certificate is allowed via CN
Hi All,
I am trying to write an iRule to check the client certificate and if the cert does not contain the two CN entries below client certificate authentication is rejected and logged. Is my syntax correct? Thanks..
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0}{
set cert [SSL::cert 0]
set subject [string tolower [X509::subject $cert]]
set clientIP [IP::client_addr]
if { not [class match ([$subject] contains "cn=integration-prod_SFDC-client") or ([$subject] contains "cn=INTEGRATION-PROD_SFDC-CLIENT") } {
reject } {
log local0. "cert CN not valid" }
}
}
}
Faruk_AYDINyou must replace this line:
if { not [class match ([$subject] contains "cn=integration-prod_SFDC-client") or ([$subject] contains "cn=INTEGRATION-PROD_SFDC-CLIENT") }with this:
if { not ($subject contains "cn=integration-prod_sfdc-client") }
rob_carrCirrostratus
when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0} { set cert [SSL::cert 0] set subject [string tolower [X509::subject $cert]] if { not ($subject contains "cn=integration-prod_sfdc-client") } { reject log local0. "cert CN not valid" } } }
RaghavendraSYAltostratus
Please try with below one
when CLIENTSSL_CLIENTCERT { Make sure the client sent a cert if {[SSL::cert 0] eq ""}{ If not, reset the connection reject } else { set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn" Make sure the CN is what we're expecting if { $subject_dn contains "CN=domainname" } { Accept the client cert log "Client Certificate Accepted: $subject_dn" } else { log "No Matching Client Certificate Was Found Using: $subject_dn" reject }} }