Ben_Wilson_2412
Feb 08, 2010Cirrus
X509::subject verification
Hi,
We are doing our first B2B web service using client and server SSL authentication.
I can see the "require" option on the client SSL profile, but no way to specify that only certain client certs are allowed to connect (dev.company.com is allowed, but prod1.company.com is not). After talking to support, iRules seems to be the way to do this with F5 LTM.
There is a good example of I think we need to do here: http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html, though it seems a little outdated as it mentions the pre-BIGIP-9.3.0 syntax for X509::subject.
Is the "matchclass" method the best way to validate the CN?
Would I need to check the date on the cert, or will the profile enforce it?
The cert CN is a wildcard, any caveats with this type of cert?
Here's what I'm thinking of using:
when CLIENTSSL_CLIENTCERT {
set subject_dn [X509::subject [SSL::cert 0]]
log "Client Certificate Received: $subject_dn"
if { [matchclass $subject_dn contains '*.fakedomain.com']} {
Accept the client cert
log "Client Certificate Accepted: $subject_dn"
} else {
log "Invalid Client Certificate Was Found Using: $subject_dn"
reject
}
}