X509 parsing rule

I have a rule that I have been attempting to write. The rule is supposed to exctract the OU value from a client certificate. That part works just fine. It logs out to my /var/log/ltm beautifully.

 

The next part is to compare against a white list and make two decisions.

 

1. If the compare fails, offer a custom http response. (The response part works.) 2. If the compare is successful, insert the value into the http header and pass the traffic to the default pool.

 

When I apply the rule, it always executes the custom error response. Even when the certificate value matches the white list. I don't think my if and elseif statements are executing properly. Is there a better way to do a compare?

 

 

$::appcode is a global variable defined within the rule

 

$::app_id is a data group defined as the white list

 

 

when RULE_INIT {

 

set appresponse {

 

 

 

Application ID ERROR:551

 

 

 

Your Client Application ID is invalid.

 

 

Please validate your client certificate.

 

 

 

}

 

}

 

when CLIENTSSL_CLIENTCERT {

 

set client_cert [SSL::cert 0]

 

set ::appcode [findstr [X509::subject $client_cert] "OU=" 0 ","]

 

log local0. "Application Code = $::appcode"

 

}

 

when HTTP_REQUEST {

 

if {$::appcode != $::app_id}{

 

HTTP::respond 520 content [subst $::appresponse]

 

}

 

elseif {$::appcode == $::app_id}{

 

HTTP::header insert ApplicationData "[$::appcode]"

 

}

 

}