Mathew_58739
May 01, 2009Nimbostratus
X509 parsing rule
I have a rule that I have been attempting to write. The rule is supposed to exctract the OU value from a client certificate. That part works just fine. It logs out to my /var/log/ltm beautifully.
The next part is to compare against a white list and make two decisions.
1. If the compare fails, offer a custom http response. (The response part works.) 2. If the compare is successful, insert the value into the http header and pass the traffic to the default pool.
When I apply the rule, it always executes the custom error response. Even when the certificate value matches the white list. I don't think my if and elseif statements are executing properly. Is there a better way to do a compare?
$::appcode is a global variable defined within the rule
$::app_id is a data group defined as the white list
when RULE_INIT {
set appresponse {
Application ID ERROR:551
Your Client Application ID is invalid.
Please validate your client certificate.
}
}
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
set ::appcode [findstr [X509::subject $client_cert] "OU=" 0 ","]
log local0. "Application Code = $::appcode"
}
when HTTP_REQUEST {
if {$::appcode != $::app_id}{
HTTP::respond 520 content [subst $::appresponse]
}
elseif {$::appcode == $::app_id}{
HTTP::header insert ApplicationData "[$::appcode]"
}
}