Ignore "Extended Key Usage" field in Cert

Hi Sonny,

 

 

How are you validating the client cert now on LTM? Are you using an iRule? If so, can you post the iRule code and LTM version you're testing on? What issue are you seeing with the extended key usage field?

 

 

Aaron

Yeah, the client is currently using this iRule to check the validity of the cert.:

 

 

when CLIENTSSL_CLIENTCERT {

 

log cron.warning [SSL::verify_result]

 

SSL::verify_result 0

 

log cron.warning [SSL::verify_result]

 

}

 

 

and from the logs...

 

 

May 13 08:55:30 tmm tmm[1249]: Rule XXXX-irule

 

: 26

 

May 13 08:55:30 tmm tmm[1249]: Rule XXXX-irule

 

: 0

 

 

and from the "26" code:

 

 

http://www.openssl.org/docs/apps/ve...IAGNOSTICS:

 

 

26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose the supplied certificate cannot be used for the specified purpose.

 

 

So what we want to do is try to come up with an iRule to look at the cert and then ignore the specific "extended key usage" field in the cert. Hope this helps... We could just get another cert BUT that $$$.

 

 

The "extend key usage" field on the cert. is missing the blip that say it's client auth. as well as server auth.

 

The 26 code didn't paste well...

 

 

26 X509_V_ERR_INVALID_PURPOSE:

 

unsupported certificate purpose the supplied certificate cannot be used for the specified purpose.

 

 

from this link:

 

 

http://www.openssl.org/docs/apps/ve...IAGNOSTICS

 

Hi Sonny,

 

 

Your posts are still getting munged by the forum code. If you're checking the SSL::verify_result value, couldn't you just add logic to check for a status of 26 and change the iRule action?

 

 

I don't think there is a way to tell LTM to ignore this issue for you.

 

 

Aaron

Thanks for the replying Hoolio. I ended up getting a new cert. and it worked!