Forum Discussion

mikegray_198028's avatar
Sep 15, 2016

wild card CN validation.

Hello,

 

I am looking for a solution to validate wild card CN from client authentication certificate.

 

ex: CN=.dev.test.com CN=_dev.test.com Is there any vay to validate this using Irule. we are using V11.5.1

 

2 Replies

  • Hi Mike,

     

    you may use the iRule as a starting point...

     

    when RULE_INIT {
       set static::cn_wildcard ".dev.test.com _dev.test.com"
    }
    when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert 0] eq "" } then {
            log local0.debug "A valid certificate is not present"
            reject
        } else {
            log local0.debug "A valid certificate is present"
            log local0.debug "DN=[X509::subject [SSL::cert 0]]"
            set subject_cn [getfield [X509::subject [SSL::cert 0]] "CN=" 2]
            log local0.debug "CN=$subject_cn"
            set wildcard_match 0
            foreach wildcard $static::cn_wildcard {
                if { $subject_cn ends_with $wildcard } then {
                    log local0.debug "CN=$subject_cn matches Wildcard=$wildcard"
                    set wildcard_match 1
                    break
                } else {
                    log local0.debug "CN=$subject_cn does not match Wildcard=$wildcard"
                }
            }
            if { $wildcard_match } then {
                 Allow the request
            } else {
                reject
            }       
        }
    }

    Note: I've not tested the iRule. Its just a quick writeup. So report back if you experience any problems with the code...

     

    Cheers, Kai