ltm rule event CLIENTSSL CLIENTCERTΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



CLIENTSSL_CLIENTCERT
       Triggered when the system adds an SSL client certificate to the client
       certificate chain.

DESCRIPTION
       Triggered when the system receives a certificate message from the
       client. The message may contain zero or more certificates. The BIG-IP
       system can retrieve the X509 certificate and its X509 issuer with the
       SSL::cert and SSL::cert issuer commands.

Examples
	when CLIENTSSL_CLIENTCERT {
	  # Save the first client cert to a variable.  Not sure why, but...
	  set ssl_cert [SSL::cert 0]

	  # Using the SSL session ID as the key,
	  # add the cert to the session table with a timeout of 180 seconds
	  session add ssl [SSL::sessionid] $ssl_cert 180
	}

	when CLIENTSSL_CLIENTCERT {

	   # Debug flag
	   set debug 1

	   # Check if client presented a cert after it was requested/required
	   if {[SSL::cert count] > 0}{

	      # Client presented at least one cert.  The actual client cert should always be first.
	      if {$debug > 1}{

	     # Loop through each cert and log the cert subject, issuer and serial number
		 for {set i 0} {$i < [SSL::cert count]} {incr i}{

		    log local0. "[IP::client_addr]:[TCP::client_port]: cert #$i; subject=[X509::subject [SSL::cert $i]];\
		       [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
		 }
	      }
	   } else {
	      if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
	   }
	}

	Sample log output:

	: client IP:port=1.1.1.1:3953: cert 0; subject: emailAddress=some_user@example.com,CN=Some User,OU=Example OU,OU=Example2 OU; issuer: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; cert_serial=22:22:22:22:22:22:22:22:22:22;
	: client IP:port=1.1.1.1:3953: cert 1; subject: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; issuer: CN=Example CA Primary CA,O=Secure Internet Services Ltd; cert_serial=11:11:11:11:11:11:11:11:11:11;
	: client IP:port=1.1.1.1:3953: cert 2; subject: CN=Example CA Primary CA,O=Secure Internet Services Ltd; issuer: CN=Example CA Root CA,O=Secure Internet Services Ltd; cert_serial=00:00:00:00:00:00:00:00:00:00;

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-9.0.0 --First introduced the event.



BIG-IP				  2017-01-31			      iRule(1)