Forum Discussion
Kai_Wilke
Apr 02, 2019MVP
Hi DecDawkins,
you can not perform a full certificate validation based on such HTTP-Header. All you can do is to extract some certificate fields.
when HTTP_REQUEST {
if { [HTTP::header value "X-Client-Cert-Example"] ne "" } then {
log local0.debug "Certificate HTTP header detected. X-Client-Cert-Example = [HTTP::header value "X-Client-Cert-Example"]"
if { [catch {
log local0.debug "Trying to b64decode the certificate HTTP header..."
set header_certificate [b64decode [HTTP::header value "X-Client-Cert-Example"]]
log local0.debug "... successfully b64decoded the certificate HTTP header."
}] } then {
log local0.debug "... failed to b64decode the certificate HTTP header."
return
}
if { [catch {
log local0.debug "Trying to extract X509 certificate information..."
set subject_name [X509::subject $header_certificate]
set issuer_name [X509::issuer $header_certificate]
log local0.debug "... successfully extracted Subject = \"$subject_name\" from CA = \"$issuer_name\"."
}] } then {
log local0.debug "... failed to extract Subject and CA values from the certificate."
}
}
}
Note: Unless you are using a very old TMOS version, you should not continue to use those
. They are not CMP-compliant and forcing your Virtual Server to run just on a single CPU-core. Check out support article K13033 for further information.$::variables
K13033: Constructing CMP-compatible iRules
https://support.f5.com/csp/article/K13033
Cheers, Kai