Forum Discussion

JCMATTOS_41723's avatar
JCMATTOS_41723
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

Client Certificate Authentication w/ CN Checking?

All,

 

 

We are trying to use this iRule with our 8400 9.4.7 platform and followed the directions and can't seem to get this to work? I see an error displaying in the logs (see below) is their something I'm missing? Please help...

 

 

http://devcentral.f5.com/wiki/defau...cking.html

 

 

 

Dec 16 08:30:16 tmm tmm[1943]: 01220001:3: TCL error: ABC_123 - while executing "X509::subject [SSL::cert 0]"

 

Thu Dec 16 08:30:16 PST 2010 tmm tmm[1943] 01220001 TCL error: Progressive_CCA CLIENTSSL_CLIENTCERT - while executing X509::subject [SSL::cert 0]

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 17, 2010

    Hi JC,

    Can you try this? I've added a check to see if the client actually provide a cert before trying to parse it:

     

    
when RULE_INIT {
   set ::org "O=Your Organisation"
}
when CLIENTSSL_CLIENTCERT {
    Check if client provided a cert
   if {[SSL::cert 0] eq ""}{
       Reset the connection
      reject
   } else {
      Example Subject DN:  /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith
      set subject_dn [X509::subject [SSL::cert 0]]
      log "Client Certificate Received: $subject_dn"
      Check if the client certificate contains the correct O and a CN from the list
      if { ([matchclass $subject_dn contains $::my_cn_list]) and ($subject_dn contains $::org) } {
         Accept the client cert
         log "Client Certificate Accepted: $subject_dn"
      } else {
         log "No Matching Client Certificate Was Found Using: $subject_dn"
         reject
      }
   }
}

     

    Aaron