Forum Discussion
youssef1
Jan 31, 2019Cumulonimbus
Hi Guys,
Simple example from devcentral:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"
foreach item [split [X509::extensions [SSL::cert 0]] \n] {
log local0. "Extension: $item"
}
}
Output:
Client cert extensions - X509v3 Extended Key Usage: TLS Web Client Authentication
Extension: X509v3 extensions:
Extension: X509v3 Extended Key Usage:
Extension: TLS Web Client Authentication
or
Extension: Client cert extensions - (no extensions)
You can test this simple irule:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Client cert extensions - [X509::extensions $client_cert]"
if { !([X509::extensions $client_cert] contains "TLS Web Client Authentication") } {
reject
}
}