Forum Discussion

Danielvm_212087's avatar
Danielvm_212087
Icon for Nimbostratus rankNimbostratus
Feb 09, 2017

Accessing the complete Client Certificate chain (even if only a partial chain is sent)

We have a usecase where the Application needs to determine the Permissions of the client by processing the chain of the client certificate. As there is a great plenty amount of clients there are some that are not sending a full chain. For example Mozilla Firefox seems to automatically remove self signed Certificate (the Root CA) from the chain.

 

Our iRule currently uses the Certificate Information stored in SSL::cert, but apparently this information only includes the certificate chain that the client has sent. Is there a way to access the chain as it was completed with the trusted certificate authorities?

 

Our current code:

 

when CLIENTSSL_CLIENTCERT {

     Check if client presented at least one cert
    if {[SSL::cert count] > 0}{
         Insert the following fields in the session table with a timeout of 3601 seconds:
           Do the processing now as opposed to in HTTP_REQUEST as there
           can be many HTTP requests using the same SSL session ID
        
           Index - item
           0 - Full Subject (DN)
           1 - Issuer
           2 - Valid after
           3 - Subject extract (CN)
           4 - Serial Number
           5 - Cert Count in chain
           6 - Static String "client_cert_presented"


        session add ssl "cert_[SSL::sessionid]" [list \
            [X509::subject [SSL::cert 0]] \
            [X509::issuer [SSL::cert 0]] \
            [X509::not_valid_after [SSL::cert 0]] \
            [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] \
            [X509::serial_number [SSL::cert 0]] \
            [expr [SSL::cert count] -1] \
                        "client_cert_presented"
        ] 3601

         Loop through the cert chain and insert the certs into another session table object for 
         later processing with a timeout of 3601 seconds
           Do the processing now as opposed to in HTTP_REQUEST as there
           can be many HTTP requests using the same SSL session ID

        for {set i 0} { $i < [SSL::cert count] } {incr i} {

            session add ssl "issuer_[SSL::sessionid]_$i" [list \
                [X509::subject [SSL::cert $i]] \
            ] 3601

        }
    }
}
No RepliesBe the first to reply