Forum Discussion

Jim_24689's avatar
Jim_24689
Icon for Nimbostratus rankNimbostratus
Oct 08, 2013

Irule and accepting a Client Cert

Hello , I am trying to configure two way SSL on a V11 F5 LTM/ASM . I'd like to check the common name of the client cert present by the client.

when CLIENTSSL_CLIENTCERT { 

     log local0. "Client IP   - [IP::client_addr]"
     log local0. "Cert Error  - [X509::verify_cert_error_string [SSL::verify_result]]"


 if { not ([class match [X509::subject [SSL::cert 0]]  starts_with ssgdev_cn_class]) } {
            log local0. "- Client certificate rejected" 
            log local0. "Cert Subject- [X509::subject [SSL::cert 0]]"
        reject
        return
     }

}

In the log I see the following.

Client IP - xx.xx.xx.xx

Rule /Common/ssgdev_rule : Cert Error - application verification failure

TCL error: /Common/ssgdev_rule - while executing "X509::subject [SSL::cert 0]"

I have not run into this before. What does it mean ?

APM
application delivery
devops
iRules
security

11 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 08, 2013

    The "application verification failure" message is usually indicative of a certificate validation issue. I'd recommend to first manually validate the client certificate against the specified CA using the OpenSSL verify command:

    openssl verify -CAfile [CA certificate] [user certificate]
  • uni's avatar
    uni
    Icon for Altostratus rankAltostratus
    Oct 08, 2013

    I think your client has not supplied a certificate. Check that [SSL::cert count] > 0 before executing [X509::subject [SSL::cert 0]]

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Oct 08, 2013
      I don't believe the CLIENTSSL_CLIENTCERT event will be triggered if the client isn't presenting a certificate.
    • uni's avatar
      uni
      Icon for Altostratus rankAltostratus
      Oct 08, 2013
      Good point. I wonder why there is a TCL error then
    • uni's avatar
      uni
      Icon for Altostratus rankAltostratus
      Oct 08, 2013
      The event is triggered. I have a rule which logs the cert count in that event, and it logs 0 regularly. Jim should look at the example in the Wiki: https://clouddocs.f5.com/api/irules/X509__subject.html It does almost exactly what he wants. He will need to pick out the CN from the subject. e.g change the test to if { [X509::subject [SSL::cert 0]] contains "CN=my.common.name" }
  • uni_87886's avatar
    uni_87886
    Icon for Cirrostratus rankCirrostratus
    Oct 08, 2013

    I think your client has not supplied a certificate. Check that [SSL::cert count] > 0 before executing [X509::subject [SSL::cert 0]]

     

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Oct 08, 2013
      I don't believe the CLIENTSSL_CLIENTCERT event will be triggered if the client isn't presenting a certificate.
    • uni_87886's avatar
      uni_87886
      Icon for Cirrostratus rankCirrostratus
      Oct 08, 2013
      Good point. I wonder why there is a TCL error then
    • uni_87886's avatar
      uni_87886
      Icon for Cirrostratus rankCirrostratus
      Oct 08, 2013
      The event is triggered. I have a rule which logs the cert count in that event, and it logs 0 regularly. Jim should look at the example in the Wiki: https://clouddocs.f5.com/api/irules/X509__subject.html It does almost exactly what he wants. He will need to pick out the CN from the subject. e.g change the test to if { [X509::subject [SSL::cert 0]] contains "CN=my.common.name" }