Forum Discussion

chin_15339's avatar
chin_15339
Icon for Nimbostratus rankNimbostratus
May 01, 2017

redirect irule when an client certificate is missing

there are two parts to the requirement 1: when the Cert is missing the redirect should be /certnotavailable - this part is not working. 2: when a cert CN:X then redirect should be /X and when CN:Y redirect should be /Y this is working fine.

Below is the Irule :

when RULE_INIT {

set static::debug 1

}

when CLIENTSSL_CLIENTCERT {

set subject_dn [X509::subject [SSL::cert 0]] 
if { $subject_dn != "" }{
        if { $static::debug }{ log "Client Certificate received: $subject_dn"}
}

}

when CLIENTSSL_HANDSHAKE {

if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0} }

when HTTP_REQUEST {

   switch -glob -- $subject_dn {

    "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
    "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
    "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
       default {HTTP::redirect "/Certmissing.html"}
   }
}
application delivery
iRules

1 Reply

Sort By
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    May 05, 2017

    Your iRule fails because the variable 

    $subject_dn
    doesn't exists when the client doesn't send a client certificate. This iRule should work:

    when RULE_INIT {
    set static::debug 1
}

when CLIENTSSL_CLIENTCERT {
    set subject_dn [X509::subject [SSL::cert 0]] 
    if { $subject_dn != "" }{
        if { $static::debug }{ log "Client Certificate received: $subject_dn"}
    }
}

when CLIENTSSL_HANDSHAKE {
    if { [SSL::verify_result] == !0 } then {set clientCRT 1} else {set clientCRT 0}
}

when HTTP_REQUEST {
    if {[info exists subject_dn]} {
        switch -glob -- $subject_dn {
            "*CN=Vinit-A*" {HTTP::redirect "/vinit-A.html"}
            "*CN=Vinit-B*" {HTTP::redirect "/vinit-B.html"}
            "*CN=Vinit-B*" {HTTP::redirect "/vinit-C.html"}
        }
    }
    else {
        HTTP::redirect "/Certmissing.html"
    }
}