ltm rule event CLIENTSSL CLIENTCERT
iRule(1) BIG-IP TMSH Manual iRule(1)
CLIENTSSL_CLIENTCERT
Triggered when the system adds an SSL client certificate to the client
certificate chain.
DESCRIPTION
Triggered when the system receives a certificate message from the
client. The message may contain zero or more certificates. The BIG-IP
system can retrieve the X509 certificate and its X509 issuer with the
SSL::cert and SSL::cert issuer commands.
Examples
when CLIENTSSL_CLIENTCERT {
# Save the first client cert to a variable. Not sure why, but...
set ssl_cert [SSL::cert 0]
# Using the SSL session ID as the key,
# add the cert to the session table with a timeout of 180 seconds
session add ssl [SSL::sessionid] $ssl_cert 180
}
when CLIENTSSL_CLIENTCERT {
# Debug flag
set debug 1
# Check if client presented a cert after it was requested/required
if {[SSL::cert count] > 0}{
# Client presented at least one cert. The actual client cert should always be first.
if {$debug > 1}{
# Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert #$i; subject=[X509::subject [SSL::cert $i]];\
[X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
}
}
} else {
if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
}
Sample log output:
: client IP:port=1.1.1.1:3953: cert 0; subject: emailAddress=some_user@example.com,CN=Some User,OU=Example OU,OU=Example2 OU; issuer: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; cert_serial=22:22:22:22:22:22:22:22:22:22;
: client IP:port=1.1.1.1:3953: cert 1; subject: CN=Example CA Customer CA,O=Secure Internet Services Ltd.; issuer: CN=Example CA Primary CA,O=Secure Internet Services Ltd; cert_serial=11:11:11:11:11:11:11:11:11:11;
: client IP:port=1.1.1.1:3953: cert 2; subject: CN=Example CA Primary CA,O=Secure Internet Services Ltd; issuer: CN=Example CA Root CA,O=Secure Internet Services Ltd; cert_serial=00:00:00:00:00:00:00:00:00:00;
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the event.
BIG-IP 2017-01-31 iRule(1)