icherif_189553
Mar 14, 2016Nimbostratus
[F5 LTM 11.4.1 HF9][2-Way-auth] CLIENTSSL_CLIENTCERT is not triggered in the Irule
Hello all, I am trying to implement an Irule to filter CN names. below the irule :
when RULE_INIT {
set static::org "O=OPS"
log local0.alert "RULE_INIT"
}
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
set subject_dn [X509::subject [SSL::cert 0]]
log local0.alert "Client Certificate Received: $subject_dn"
Check if the client certificate contains the correct O and a CN from the list
if { ([matchclass $subject_dn contains cn_allowed]) and ($subject_dn contains $static::org) } {
Accept the client cert
log local0.alert "Client Certificate Accepted: $subject_dn"
} else {
log local0.alert "No Matching Client Certificate Was Found Using: $subject_dn"
reject
}
}
}
The "cn_allowed" contains the list of allowed CNs. When I make a new connection with the browser (after sending the client certificate), I am not getting any log in /var/log/ltm related to the CLIENTSSL_CLIENTCERT section (only the rule init is shown).
Kindly help me to resolve this problem. Thanks in advance.