Let me provide more details. Here is my iRule:
when CLIENTSSL_CLIENTCERT {
Set debug variable to 0 for max performance during normal operations. Only negative events will be log local0.error ged.
Set debug variable to 1 for more log local0.error ging i.e. during troubleshooting. Negative and postive events will be log local0.error ged.
set debug 0
set client_IP [IP::remote_addr]
set vs_name [string tolower [virtual name]]
set prt_name [string tolower [lindex [split $vs_name /] 1]]
if {$debug} {log local0.error "Partition name of $vs_name is $prt_name"}
set dg_name [string tolower [virtual name]-ma]
if {![class exists $dg_name]}{
log local0.error "Virtual server $vs_name: Data Group $dg_name doesn't exist. Check if the Data Group has been created and whether its name is entirely in lower case."
reject
return
}
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection if no client certificate has been presented
log local0.error "Virtual server $vs_name: Client with IP address $client_IP has not presented client certificate. Connection is rejected."
reject
return
} else {
If client cert is presented, check validity and access rights
if {[SSL::cert count] > 0}{
set subject_dn [X509::subject [SSL::cert 0]]
if {$debug} {log local0.error "Client Certificate Received: $subject_dn"}
Check if the certificate is valid
if { [SSL::verify_result] == 0 }{
Certificate has been verified as valid, now check the CN against the allowed CN list
cSSLSubject variable contains only the CN value from the certificate subject
set cSSLSubject [string tolower [findstr $subject_dn "CN=" 3 ","]]
Reading value inside -ma data-group and changing the case to LOWERCASE
set ma_value [string tolower [class get $dg_name]]
if {$debug} {log local0.error "SSL Subject CN is: $cSSLSubject"}
Check if the client certificate subject is in the allowed certificate subject access list
if {$debug} {log local0.error "$dg_name values: [class get $dg_name]"}
if { [class match $cSSLSubject contains $ma_value] } {
Compare the CN portion of the subject in the presented certificate with the value listed in the access list.
Accept the client cert if its CN is listed in the certificate subject access list.
For performance reasons do not turn on log local0.error ging of success events unless troubleshooting
if {$debug} {log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has been found in the Data Group $dg_name, connection has been accepted."}
} else {
Reject the client cert if it's not in the certificate subject access list
log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has not been found in the Data Group $dg_name, connection would have been rejected."
reject
return
}
} else {
Certificate verification failed. Use the SSL status code in the HTTP response (defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS)
set cert_verify_error [X509::verify_cert_error_string [SSL::verify_result]]
log local0.error "Virtual server $vs_name: Failed to Verify Client Certificate $subject_dn presented by client with IP $client_IP. SSL verify result: $cert_verify_error. Connection has been rejected."
reject
return
}
}
else {
Reset the connection if no client certificates
log local0.error "Virtual server $vs_name: No client certificate has been presented by client with IP address $client_IP. Connection is rejected."
reject
return
}
}
}
data-group name: /olb2-ifweb/sit-iolb-t1-zolb2-ser-c1-v8-443-vsrv-ma
When client tried to access URL with client certificate (sitws1.olb.srv.amit.com.au), it was rejected and below log message was generated.
Apr 8 09:09:25 slot2/AC2004-TILTM2-EPS err tmm1[9319]: Rule /Common/SSLMA-v1.3-allowall : Partition name of /olb2-ifweb/sit-iolb-t1-zol
b2-ser-c1-v8-443-vsrv is olb2-ifweb
Apr 8 09:09:25 slot2/AC2004-TILTM2-EPS err tmm1[9319]: Rule /Common/SSLMA-v1.3-allowall : SSL Subject CN is: sitws1.olb.srv.amit.com.au
Apr 8 09:09:25 slot2/AC2004-TILTM2-EPS err tmm1[9319]: Rule /Common/SSLMA-v1.3-allowall : /olb2-ifweb/sit-iolb-t1-zolb2-ser-c1-v8-443-v
srv-ma values: {epsir515.unix.srv.amit.com.au {}} {epstammonitoring.test.unix.srv.amit.com.au {}} {sitws1.olb.srv.amit.com.au {}}
Apr 8 09:09:25 slot2/AC2004-TILTM2-EPS err tmm1[9319]: 01220001:3: TCL error: /Common/SSLMA-v1.3-allowall - can't read "ma": no such v
ariable while executing "class match $cSSLSubject equals $ma-value"
However, data-group is configured with sitws1.olb.srv.amit.com.au in below format:
ltm data-group internal /olb2-ifweb/sit-iolb-t1-zolb2-ser-c1-v8-443-vsrv-ma {
records {
epsir515.unix.srv.amit.com.au {}
epstammonitoring.test.unix.srv.amit.com.au {}
sitws1.olb.srv.amit.com.au {}
}
type string
}