Client Certificate Help Needed!!!!

Hi Shawn,

 

 

Which LTM version are you running? The format for such a rule has changed somewhat in the various versions.

 

 

Thanks, Aaron

BIG-IP 9.4.7 Build 320.1 Final

This example is something you could start with:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html

 

 

You could add logic to one of those examples, which after validating the client cert, adds the client's ssl ssession ID to the session table:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/session

 

 

That way you could support SSL session resumption in the client SSL profile and only check the cert once per session.

 

 

Aaron

So this is what I have come up with so far:

 

 

when CLIENTSSL_CLIENTCERT {

 

set serial_dn [X509::serial_number [SSL::cert 0]]

 

log "Client Certificate Received: $serial_dn"

 

if { ([matchclass $serial_dn contains $::ClientCert])} {

 

Accept the client cert

 

log "Client Certificate Accepted: $serial_dn"

 

} else {

 

log "No Matching Client Certificate Was Found Using: $serial_dn"

 

reject

 

}

 

}

 

 

It basically checks the serial number of the client cert and see if it matches an entry in the Data Group.

 

 

Can I add anything to this to make it better? How can I add the serial number to the header so that it can get logged on the webserver side?

 

 

Thanks for the guidance and suggestions!