Forum Discussion

Erich_Rockman_1's avatar
Jun 29, 2016

Client Certificate Verification using Request

Hello. Wondering if there is an iRule equivalent of the "Client Certificate - Require" and "Trusted Certificate Authorities - Bundle" in the SSL Profile. I have a situation where I need to set the "Client Certificate" to request but still verify the cert. The cert is only verified when "Client Certificate" is set to require. I know I can build a rule that checks the issuer angainst a data group, etc. but I am looking for a feature-parity approach in an iRule. Thanks.

 

  • I decided to go with something like this:

    when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0} { set error_code [SSL::verify_result] set error_code_string [X509::verify_cert_error_string [SSL::verify_result]]

        log local0. "error_code = $error_code" 
        log local0. "error_code_string = $error_code_string"
    
        if { $error_code ne 0 } {
            reject
            return
        }
    }
    

    }