Forum Discussion
svs
Mar 02, 2017Cirrus
This doesn't make sense to me. Why do you check the CN from a client certificate to decide on the pool of the connection? Did I get correctly? I'm not sure...
May this be, what you're looking for?
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection
reject
} else {
Check if the client certificate contains the correct CN
log local0. "Client Certificate: [X509::subject [SSL::cert 0]]"
if { ([class match [X509::subject [SSL::cert 0]] contains F5_cn_list]) } {
log local0. "Forward to def.com pool"
pool pool_def.com
} elseif { ([class match [X509::subject [SSL::cert 0]] contains F5_cn_list2]) } {
log local0. "Forward to xyz.com pool"
pool pool_xyz.com
} else {
log local0. "No Matching Client Certificate Was Found Using: [X509::subject [SSL::cert 0]]"
reject
}
}
}
I absolutely agree with Patrik. Please use the correct format options, otherwise no one will be willing to read your "question".
Greets, svs