Hi Igor,
first of you have to configure your client cert like that:
Client Authentication:
- Client Certificate: request
- Frequency: once
- retain cert: yes
- Trust cert: your ca that sign user cert
- Advert cert: your ca that sign user cert
Then try this irule:
when HTTP_REQUEST {
set cert_provided 0
if {[SSL::cert count] > 0}{
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "uid: $uid - cert number: $i"
log local0. "Issuer Info: [X509::issuer [SSL::cert $i]]"
log local0. "cert serial: [X509::serial_number [SSL::cert $i]]"
set cert_provided 1
if { [SSL::verify_result] != 0 } {
log local0. "uid: $uid - Cert Error: [X509::verify_cert_error_string [SSL::verify_result]]"
set cert_provided 0
}
}
} else {
log local0. "uid: $uid - No client certificate provided"
set cert_provided 0
}
uri that need auth
if {!($cert_provided)} {
switch -glob [string tolower [HTTP::uri]] {
"/uri1" { reject }
"/uri2" { reject }
"/uri3" { reject }
default {
do nothing
}
}
}
}