Ok, so I've been thinking about this as I had a feeling the command would return a list of all extensions, meaning that it wouldn't match your iRule - resulting in all traffic being dropped.
So create a v3 self signed cert and did some testing:
When you return
[X509::extensions [SSL::cert 0]]
It returns a list of all extensions - please see log below from the following simple iRule
when CLIENTSSL_CLIENTCERT {
log local0. "X509::extensions [SSL::cert 0]]"
}
Jan 30 21:14:56 bigip1 info tmm[13575]: Rule /Common/client-ssl-test : X509v3 extensions: X509v3 Subject Key Identifier: ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC X509v3 Authority Key Identifier: keyid:ED:EA:FE:70:6D:21:DF:8E:AD:E4:40:4E:8E:58:78:4E:B2:44:E8:DC X509v3 Basic Constraints: CA:TRUE
Given it's returning all of the v3 extensions for the test certificate, we're going to need to use
string match
to search the returned extensions.
It's also worth noting that the Wiki states that if an invalid certificate is presented it will raise a TCL error which results in a TCP reset. Putting the
[X509::extensions [SSL::cert 0]]
in a catch can mitigate the TCL error.
Putting it all together it looks something like this, let me know how you get on.
when CLIENT_ACCEPTED {
set requireX509Ext "TLS Web Client Authentication"
}
when CLIENTSSL_CLIENTCERT {
if {[catch {set x509Ext [X509::extensions [SSL::cert 0]]} catchErr ]} {
log local0. "Certificate Error! $catchErr"
return
}
if {!([string match "*$requireX509Ext*" $x509Ext])} {
log local0. "ERROR: Certificate does not contain the '$requireX509Ext' x509 extension"
reject
}
}