Forum Discussion
Kevin_Stewart
Dec 11, 2013Employee
Try this:
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert
if { [SSL::cert 0] eq "" }{
log local0. "Client Certificate Missing"
reject
} else {
set subject_dn [string tolower [X509::subject [SSL::cert 0]]]
set expiration_dn [X509::not_valid_after [SSL::cert 0]]
expiration checking code
set expiration [clock scan $expiration_dn]
if { [expr [clock scan "+30 days" -base [clock seconds]] >= $expiration] } {
set difference [expr ($expiration - [clock seconds]) / 60 / 60 / 24]
log local0. "Cert expiring ($difference days): $subject_dn"
}
log local0. "Client Certificate Received: $subject_dn --- $expiration_dn"
if { ( [class match $subject_dn contains progressive_cn_list] ) } {
Accept the client cert
log local0. "Client Certificate Accepted: $subject_dn [SSL::cert count]"
} else {
log local0. "Client Certificate Mismatch: $subject_dn [SSL::cert count]"
reject
}
}
}