Forum Discussion

ciscoarc's avatar
Icon for Nimbostratus rankNimbostratus
May 29, 2018

Verifying CN received (client auth)

Hi guys,

I'm trying to verify client auth certificate and using this iRule, but from the logs I can see it's always Accepted even though my trusted_certs only has 1 CN;

i.e: my trusted_certs is "CN" = "" ;

But even if I send it still says Client Certificate

if { [SSL::cert count] != 0 }{
    set cert [SSL::cert 0]
    set subject_dn [findstr [X509::subject [SSL::cert 0]] "CN=" 0 ","]
    log "Client Certificate Received: $subject_dn"

if { ([matchclass $subject_dn contains trusted_certs]) } {
    log "Client Certificate Accepted: $subject_dn"
    } else {
        log "No Matching Client Certificate Was Found Using: $subject_dn"

7 Replies

  • Hi Blakely,


    Yeah I tested that too. Still the same (I better change my code snippet, as I know matchclass uses the $:: object)


    and the data group is there..



    I can't seem to include any arguments after data-group


  • It's an external file, so you can't list the contents. Try:

    cat /config/filestore/files_d/Common_d/data_group_d/\:Common\:trusted_certs*
  • Apologies, due to organization rule, I can't divulge the full CN.

    The trusted_certs only contains 1 single line as above. So I created a self-signed cert and key using openssl and send it to the Virtual Server with command:

    openssl -s_client -connect host:port -cert -key

    This is what I see from F5 logs:

  • I think what is happening is:


    The way you created your datagroup has created a datagroup element with a name of "CN" and a value of "3456.xxxx.yyyy.zzz".


    Your extraction from the certificate is CN=1234.xxxx.yyyy.zzz


    So the contains match is for "CN", and will always match. You can create your datagroup without the CN= element at all, or specify the -value specifier to match on the values.