Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule to validate that the client certificate is allowed via CN

Hi All,

I am trying to write an iRule to check the client certificate and if the cert does not contain the two CN entries below client certificate authentication is rejected and logged. Is my syntax correct? Thanks..

when CLIENTSSL_CLIENTCERT {

if {[SSL::cert count] > 0}{
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    set clientIP [IP::client_addr]
    if { not [class match ([$subject] contains "cn=integration-prod_SFDC-client") or ([$subject] contains "cn=INTEGRATION-PROD_SFDC-CLIENT") } {
        reject } {
            log local0. "cert CN not valid" }

    }
}

}

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

you must replace this line:

if { not [class match ([$subject] contains "cn=integration-prod_SFDC-client") or ([$subject] contains "cn=INTEGRATION-PROD_SFDC-CLIENT") }

with this:
if { not ($subject contains "cn=integration-prod_sfdc-client") }

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
when CLIENTSSL_CLIENTCERT {
  if {[SSL::cert count] > 0} {
    set cert [SSL::cert 0]
    set subject [string tolower [X509::subject $cert]]
    if { not ($subject contains "cn=integration-prod_sfdc-client") } {
      reject
      log local0. "cert CN not valid"
    }
  }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Please try with below one

when CLIENTSSL_CLIENTCERT { # Make sure the client sent a cert if {[SSL::cert 0] eq ""}{ # If not, reset the connection reject } else { set subject_dn [X509::subject [SSL::cert 0]]

  log "Client Certificate Received: $subject_dn"
  # Make sure the CN is what we're expecting
  if { $subject_dn contains "CN=domainname" } {
     # Accept the client cert
     log "Client Certificate Accepted: $subject_dn"
  } else {
     log "No Matching Client Certificate Was Found Using: $subject_dn"
     reject
  }

} }

0