Client Certificate Verification using Request

Question

Hello. Wondering if there is an iRule equivalent of the "Client Certificate - Require" and "Trusted Certificate Authorities - Bundle" in the SSL Profile. I have a situation where I need to set the "Client Certificate" to request but still verify the cert. The cert is only verified when "Client Certificate" is set to require. I know I can build a rule that checks the issuer angainst a data group, etc. but I am looking for a feature-parity approach in an iRule. Thanks.

erich_rockman_1 · Accepted Answer

I decided to go with something like this:
when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] &gt; 0} {
set error_code [SSL::verify_result]
set error_code_string [X509::verify_cert_error_string [SSL::verify_result]]
    log local0. "error_code = $error_code" 
    log local0. "error_code_string = $error_code_string"

if { $error_code ne 0 } {
        reject
        return
    }
}

}

devbabu · Answer

https://devcentral.f5.com/articles/selective-client-cert-authentication&nbsp;

Forum Discussion

Client Certificate Verification using Request

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

Configure NGINX microgateway for MTLS termination and client certificate hash verification

Re: Management Certificate

My Security+ Certification Journey

Certifications for security professionals

Logging DNS Requests