That didn't seem to work. My rule now looks like
when CLIENTSSL_HANDSHAKE {
set cert [SSL::cert 0 ]
}
when HTTP_REQUEST {
if { [ info exists cert ] } {
log local0. "cert variable is $cert"
set stuff [X509::subject $cert ]
if { [matchclass $stuff contains $::merlin] } {
use pool test-sun }
else {
log local0. "Invalid Cert from [IP::client_addr]"
reject
}
} else {
log local0. "No Cert Presented from [IP::client_addr]"
reject
}
}
But I'm still getting the error when a client comes in via IP address (or any other way that requires them to click yes to the SSL warning pop-up dialogue). The log message seems to indicate that indeed the $cert variable is not being populated, but if that is the case why is that block of the rule getting executed at all?
Apr 5 21:19:25 tmm tmm[5569]: Rule test : cert variable is
Apr 5 21:19:25 tmm tmm[5569]: 01220001:3: TCL error: Rule test - while executing "X509::subject $cert "
Thanks.