Forum Discussion

Maxim_Taskov_90's avatar
Maxim_Taskov_90
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

Client Certificate Validation by Subject

I am trying to use the common name CN from the x509::subject variable to validate a client certificate. I used the rule from teh following post as a sample:

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/1167776/showtab/groupforums/Default.aspx

 

 

, and the following DevCentral Wiki for some additional ideas:

 

 

http://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx

 

 

My original iRule was:

 

 

when CLIENTSSL_CLIENTCERT {

 

set subject_dn [X509::subject [SSL::cert 0]]

 

log local0. "Client Certificate Received: $subject_dn"

 

if { [matchclass $subject_dn contains $::ebilling_accepted_certs]} {

 

log local0. "Client Certificate Accepted: $subject_dn"

 

} else {

 

log local0. "Invalid Client Certificate Was Found Using: $subject_dn"

 

reject

 

}

 

}

 

 

The above iRule does a very good job except that it had two defects, or at least that is what I observed in my deployment:

 

 

1. The iRule was crashing with TCL error when client certificate was not presented and instead of rejecting the connection, it allowed it.

 

 

2. The iRule was crashing with TCL error when the subject of client certificate was blank (yes, this happens) and instead of rejecting the connection, it allowed it.

 

 

Otherwise it was working very well by allowing the connectiong when the presented certificate was in the list of allowed and rejecting the connection when proper client certifiacte was presented (including a subject field, which is not blank) but it is not in the list of teh allowed certificates.

 

 

Then I tried to modify the rule to handle the failing conditions of 1 and 2 above. Here is what I got:

 

 

when CLIENTSSL_CLIENTCERT {

 

set subject_dn [X509::subject [SSL::cert 0]]

 

Log the subject properties of the presented certificate

 

log local0. "Client Certificate Received: $subject_dn"

 

Check to see if the presented certificate is allowed and if yes, accept

 

if {[matchclass $subject_dn contains $::ebilling_accepted_certs]} {

 

log local0. "Client Certificate Accepted: $subject_dn"

 

Check to see if certificate is presented and if not, reject

 

} elseif {[SSL::cert 0] eq ""} {

 

log local0. "Client Certificate was not provided"

 

reject

 

Check to see if the presented certificate has subject and if not, accept

 

} elseif {[string length $subject_dn] == 0 } {

 

log local0. "Client Certificate with blank subject was detected"

 

reject

 

} elseif {

 

Any other condition and valid bu unauthorized certificate, reject

 

log local0. "Unauthorized Client Certificate was detected: $subject_dn"

 

reject

 

}

 

}

 

 

The iRule above compiles and runs but still crashes and cannot handle the "blank subject" or "no certificate" conditions and continues to allow the connections when it should be rejecting them.

 

 

Any assistance will be greatly appreciated and is desperately needed. Thanks.

18 Replies