Forum Discussion

Rob_Wismans_179's avatar
Rob_Wismans_179
Icon for Nimbostratus rankNimbostratus
Feb 22, 2018

Bypass Client Certificate authentication

Hello,

 

I have an existing working irule that handles client authentication.

 

The Client SSL Profile is set to request a client certificate.

 

My question: How to bypass this existing client certificate handling when no certificate is presented

 

I have tried to insert some logic in the else statement in CLIENTSSL_CLIENTCERT, but that does not work.

 

5 Replies

  • when RULE_INIT {
         "0" to disable logging, "1" to enable reject logging and "2" to enable debug logging
        set static::debug 2
    }
    
  • when CLIENT_ACCEPTED {
        if { $static::debug == 2  } { log local0. "CIP: Client connected from [IP::client_addr]:[TCP::client_port]" }
    }
    
    when CLIENTSSL_CLIENTCERT {
        if { $static::debug == 2  } { 
             Check if client presented a cert after it was requested/required
            if { [SSL::cert count] > 0 } {
                 Loop through each cert and log the cert subject, issuer and serial number
                for { set i 0 } { $i < [SSL::cert count] } { incr i } {
                    log local0. "CIP: [IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
                        [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
                }
            } else {
                log local0. "CIP: [IP::client_addr]:[TCP::client_port]: No client cert found!"
            }
        }
    }
    
  • when CLIENTSSL_HANDSHAKE {
    
                        if { $static::debug == 2  } { log local0. "CIP: Handshake event triggered" }
                   set cert_subject [X509::subject [SSL::cert 0]]
                        if { $static::debug == 2  } { log local0. "CIP: Start processing certificate $cert_subject" }
    
                    By default reject the certificate
                   set reject 1
                   set auth ""
    
                    Lookup the subject in the datagrouplist and return as a list with name and value paired
                   set matches [class match -element -all $cert_subject contains /CIP/CIP-Client_Cert-Test02]
                        if { $static::debug == 2  } { log local0. "CIP: Found [llength $matches] matches in datagroup, Value Of: $matches" }
    
                    Check for valid result from lookup
                   if { [llength $matches] != 0 } {
    
    
    
                                  set auth [lindex $matches 1]
                                  if { $static::debug == 2  } { log local0. "CIP: Matching client certificate (DN: $cert_subject, SN: [X509::serial_number [SSL::cert 0]], Auth: $auth)" }
    
                                  set reject 0
                   }
    }
    
  • when HTTP_REQUEST {
        if { $reject } {
            if { $static::debug == 2  } { log local0. "CIP: Client certificate rejected (DN: $cert_subject)" }
            HTTP::respond 200 content {
                        
                            
                                Denied
                            
                            
                        Your client is denied access.
                            
                        
            }
            TCP::close
            reject
        }
    
        if {$auth ne ""} {
            if { $static::debug == 2  } { log local0. "CIP: Adding Authorization: Basic $auth" }
            HTTP::header remove "Authorization"
            HTTP::header insert "Authorization" "Basic $auth"
    
        }
    }
    
  • Can you clarify the behaviour you get?

     

    You said the message you put in the "else" did not have output, but did the "if" was executed? Was the event CLIENTSSL_CLIENTCERT triggered?