Reject connections with no extention keyusage in client certificate

Hi Guys,

Simple example from devcentral:

when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Client cert extensions - [X509::extensions $client_cert]"

  foreach item [split [X509::extensions [SSL::cert 0]] \n] {
    log local0. "Extension: $item"
  }
} 

Output:

Client cert extensions - X509v3 Extended Key Usage:          TLS Web Client Authentication

Extension: X509v3 extensions:
Extension:  X509v3 Extended Key Usage:
Extension:  TLS Web Client Authentication

or

Extension: Client cert extensions - (no extensions)

You can test this simple irule:

when CLIENTSSL_CLIENTCERT {

set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"


if { !([X509::extensions $client_cert] contains "TLS Web Client Authentication") } {
    reject
}

}