Reject connections with no extention keyusage in client certificate

As per the documentation in the Wiki you provided, the command

X509::extensions

returns

"(no extensions)"

if the certificate doesn't have any extensions.

Most of the information you need to put a very simple iRule together can be found in the example section of the Wiki. In it's simplest form you could use the following:

when CLIENTSSL_CLIENTCERT {
    if {[X509::extensions [SSL::cert 0]] eq "(no extensions)"} {
        reject
    }
} 

Ok, so I've been thinking about this as I had a feeling the command would return a list of all extensions, meaning that it wouldn't match your iRule - resulting in all traffic being dropped.

So create a v3 self signed cert and did some testing:

When you return

[X509::extensions [SSL::cert 0]]

It returns a list of all extensions - please see log below from the following simple iRule

when CLIENTSSL_CLIENTCERT {
    log local0. "X509::extensions [SSL::cert 0]]"
}

Jan 30 21:14:56 bigip1 info tmm[13575]: Rule /Common/client-ssl-test : X509v3 extensions:     X509v3 Subject Key Identifier:          ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC     X509v3 Authority Key Identifier:          keyid:ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC      X509v3 Basic Constraints:          CA:TRUE

Given it's returning all of the v3 extensions for the test certificate, we're going to need to use

string match

to search the returned extensions.

It's also worth noting that the Wiki states that if an invalid certificate is presented it will raise a TCL error which results in a TCP reset. Putting the

[X509::extensions [SSL::cert 0]]

in a catch can mitigate the TCL error.

Putting it all together it looks something like this, let me know how you get on.

when CLIENT_ACCEPTED {
    set requireX509Ext "TLS Web Client Authentication"
}

when CLIENTSSL_CLIENTCERT {
    if {[catch {set x509Ext [X509::extensions [SSL::cert 0]]} catchErr ]} {
        log local0. "Certificate Error! $catchErr"
        return
    }

    if {!([string match "*$requireX509Ext*" $x509Ext])} {
        log local0. "ERROR: Certificate does not contain the '$requireX509Ext' x509 extension"
        reject
    }
}

Hi Guys,

Simple example from devcentral:

when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Client cert extensions - [X509::extensions $client_cert]"

  foreach item [split [X509::extensions [SSL::cert 0]] \n] {
    log local0. "Extension: $item"
  }
} 

Output:

Client cert extensions - X509v3 Extended Key Usage:          TLS Web Client Authentication

Extension: X509v3 extensions:
Extension:  X509v3 Extended Key Usage:
Extension:  TLS Web Client Authentication

or

Extension: Client cert extensions - (no extensions)

You can test this simple irule:

when CLIENTSSL_CLIENTCERT {

set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"


if { !([X509::extensions $client_cert] contains "TLS Web Client Authentication") } {
    reject
}

}

Hi guys!

 

I tested this morning the irule you both sent me and everything is working perfectly as the client wanted!! :)

 

I tried to use the options within client ssl profile but I don't have a field where I can specify exactly what I need ("TLS Web Client Authentication" in my case) so I opted for an irule.

 

Lee Sutcliffe and youssef, Thank you so much for your help!!

 

I really appreciate :)