CLIENTSSL_CLIENTCERT

Description¶

Triggered when the system receives a certificate message from the client. The message may contain zero or more certificates. The BIG-IP system can retrieve the X509 certificate and its X509 issuer with the SSL::cert and SSL::cert issuer commands.

Examples¶

when CLIENTSSL_CLIENTCERT {
  # Save the first client cert to a variable.  Not sure why, but...
  set ssl_cert [SSL::cert 0]

  # Using the SSL session ID as the key,
  # add the cert to the session table with a timeout of 180 seconds
  session add ssl [SSL::sessionid] $ssl_cert 180
}

when CLIENTSSL_CLIENTCERT {

   # Debug flag
   set debug 1

   # Check if client presented a cert after it was requested/required
   if {[SSL::cert count] > 0}{

      # Client presented at least one cert.  The actual client cert should always be first.
      if {$debug > 1}{

     # Loop through each cert and log the cert subject, issuer and serial number
         for {set i 0} {$i < [SSL::cert count]} {incr i}{

            log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]];\
               [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
         }
      }
   } else {
      if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
   }
}

Sample log output:
: client IP:port=1.1.1.1:3953: cert 0; subject:
emailAddress=some_user@example.com,CN=Some User,OU=Example
OU,OU=Example2 OU; issuer: CN=Example CA Customer CA,O=Secure Internet
Services Ltd.; cert_serial=22:22:22:22:22:22:22:22:22:22;
: client IP:port=1.1.1.1:3953: cert 1; subject: CN=Example CA Customer
CA,O=Secure Internet Services Ltd.; issuer: CN=Example CA Primary
CA,O=Secure Internet Services Ltd;
cert_serial=11:11:11:11:11:11:11:11:11:11;
: client IP:port=1.1.1.1:3953: cert 2; subject: CN=Example CA Primary
CA,O=Secure Internet Services Ltd; issuer: CN=Example CA Root
CA,O=Secure Internet Services Ltd;
cert_serial=00:00:00:00:00:00:00:00:00:00;

Related Information¶

Available Commands:

clone - Causes the system to clone traffic to the specified pool or pool member regardless of monitor status.
forward - Sets the connection to forward IP packets.
IP::idle_timeout - Returns or sets the idle timeout value.
ip_ttl - Returns the TTL of the latest IP packet received.
lasthop - Sets the lasthop of an IP connection.
listen - Sets up a related ephemeral listener to allow an incoming related connection to be established.
LSN::address - Set or override translation address.
LSN::disable - Disable LSN translation.
LSN::inbound - Disable inbound connections to translation address/port.
LSN::persistence - Set translation selection mode and persistence timeout.
LSN::persistence-entry - Create or lookup translation address.
LSN::pool - Specify LSN pool for current connection.
LSN::port - Set or override translation port.
nexthop - Sets the nexthop of an IP connection.
node - Sends the packet directly to the identified server node.
peer - Causes the specified iRule commands to be evaluated under the peer’s (opposite) context.
persist - Causes the system to use the named persistence type to persist the connection.
pool - Causes the system to load balance traffic to the specified pool or pool member regardless of monitor status.
session - Utilizes the persistence table to store arbitrary information based on the same keys as persistence.
SSL::cert - Returns X509 SSL certificate data.
SSL::extensions - Returns or manipulates SSL extensions.

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Client Cert Request by URI with OCSP Checking - Request a client SSL certificate by URI and validate it using OCSP
Client Certificate CN Checking - These iRules will check the presented client certificate for a valid CN. allowing or rejecting
Client Certificate Request by URI with OCSP Checking (v10.1 - v10.2.x) - Request a client SSL certificate by URI and validate it using OCSP for v10.1 - 10.2.x
Insert Client Certificate In Serverside HTTP Headers - An example iRule that pulls certainformation from a client cert and passes it along to backend server in HTTP headers.
Validate Certificate Common Name and Revocation Status - If you are using the same CA to isssue client certificates to provide secur…

Introduced: BIGIP-9.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.

CLIENTSSL_CLIENTCERT¶

Description¶

Examples¶

Related Information¶