when CLIENTSSL_CLIENTCERT {
Set debug variable to 0 for max performance during normal operations. Only negative events will be log local0.error ged.
Set debug variable to 1 for more log local0.error ging i.e. during troubleshooting. Negative and postive events will be log local0.error ged.
set debug 0
set client_IP [IP::remote_addr]
set vs_name [string tolower [virtual name]]
set dg_name [string tolower [virtual name]-ma]
if {![class exists $dg_name]}{
log local0.error "Virtual server $vs_name: Data Group $dg_name doesn't exist. Check if the Data Group has been created and whether its name is entirely in lower case."
reject
return
}
Check if client provided a cert
if {[SSL::cert 0] eq ""}{
Reset the connection if no client certificate has been presented
log local0.error "Virtual server $vs_name: Client with IP address $client_IP has not presented client certificate. Connection is rejected."
reject
return
} else {
If client cert is presented, check validity and access rights
if {[SSL::cert count] > 0}{
set subject_dn [X509::subject [SSL::cert 0]]
if {$debug} {log local0.error "Client Certificate Received: $subject_dn"}
Check if the certificate is valid
if { [SSL::verify_result] == 0 }{
Certificate has been verified as valid, now check the CN against the allowed CN list
cSSLSubject variable contains only the CN value from the certificate subject
set cSSLSubject [string tolower [findstr $subject_dn "CN=" 3 ","]]
if {$debug} {log local0.error "SSL Subject CN is: $cSSLSubject"}
Check if the client certificate subject is in the allowed certificate subject access list
if {$debug} {log local0.error "$dg_name values: [class get $dg_name]"}
if { [class match $cSSLSubject equals $dg_name] } {
Compare the CN portion of the subject in the presented certificate with the value listed in the access list.
Accept the client cert if its CN is listed in the certificate subject access list.
For performance reasons do not turn on log local0.error ging of success events unless troubleshooting
if {$debug} {log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has been found in the Data Group $dg_name, connection has been accepted."}
} else {
Reject the client cert if it's not in the certificate subject access list
log local0.error "Virtual server $vs_name: Client Certificate with subject $subject_dn has been received from client with an IP address $client_IP. $cSSLSubject has not been found in the Data Group $dg_name, connection would have been rejected."
reject
return
}
} else {
Certificate verification failed. Use the SSL status code in the HTTP response (defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS)
set cert_verify_error [X509::verify_cert_error_string [SSL::verify_result]]
log local0.error "Virtual server $vs_name: Failed to Verify Client Certificate $subject_dn presented by client with IP $client_IP. SSL verify result: $cert_verify_error. Connection has been rejected."
reject
return
}
}
else {
Reset the connection if no client certificates
log local0.error "Virtual server $vs_name: No client certificate has been presented by client with IP address $client_IP. Connection is rejected."
reject
return
}
}
}