Forum Discussion
Nick_Matthews
Feb 20, 2014Altostratus
Could I use iRules instead to check for a client cert rather than using the SSL Profile to do this?
Something like:
get certificate data
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
set clientIP [IP::client_addr]
check Certificate common name to see if it contains the FQDN for Virtual server
if { $subject contains "CN=FQDN" } {
uncomment the line below to validate that the iRule is accepting a valid certificate
log local0. "cert CN valid"
} else {
if the certificate is not valid log client IP and reject connection
log $clientIP
log local0. "cert CN not valid"
reject
}
}