Danielvm_212087
Feb 09, 2017Nimbostratus
Accessing the complete Client Certificate chain (even if only a partial chain is sent)
We have a usecase where the Application needs to determine the Permissions of the client by processing the chain of the client certificate. As there is a great plenty amount of clients there are some that are not sending a full chain. For example Mozilla Firefox seems to automatically remove self signed Certificate (the Root CA) from the chain.
Our iRule currently uses the Certificate Information stored in SSL::cert, but apparently this information only includes the certificate chain that the client has sent. Is there a way to access the chain as it was completed with the trusted certificate authorities?
Our current code:
when CLIENTSSL_CLIENTCERT {
Check if client presented at least one cert
if {[SSL::cert count] > 0}{
Insert the following fields in the session table with a timeout of 3601 seconds:
Do the processing now as opposed to in HTTP_REQUEST as there
can be many HTTP requests using the same SSL session ID
Index - item
0 - Full Subject (DN)
1 - Issuer
2 - Valid after
3 - Subject extract (CN)
4 - Serial Number
5 - Cert Count in chain
6 - Static String "client_cert_presented"
session add ssl "cert_[SSL::sessionid]" [list \
[X509::subject [SSL::cert 0]] \
[X509::issuer [SSL::cert 0]] \
[X509::not_valid_after [SSL::cert 0]] \
[findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] \
[X509::serial_number [SSL::cert 0]] \
[expr [SSL::cert count] -1] \
"client_cert_presented"
] 3601
Loop through the cert chain and insert the certs into another session table object for
later processing with a timeout of 3601 seconds
Do the processing now as opposed to in HTTP_REQUEST as there
can be many HTTP requests using the same SSL session ID
for {set i 0} { $i < [SSL::cert count] } {incr i} {
session add ssl "issuer_[SSL::sessionid]_$i" [list \
[X509::subject [SSL::cert $i]] \
] 3601
}
}
}