The software-defined load balancer by AVI Network allows, through the configuration of an Application Profile for a Virtual Service, to require an SSL client certificate:
Using a specific PKI Profile it is possible to define which certificates will be accepted… for example you can configure your company’s Certificate Authority.
This configuration however doesn’t allow more precise checks on the certificate, for example on is DN (Distinguished Name).
You can write a simple datascript that, applied to the same Application Profile, performs the check:
clientDN = avi.ssl.client_cert(avi.CLIENT_CERT_SUBJECT) validDN = "/C=MyCountry/ST=MyState/L=MyLocation/OU=MyOU/CN=myCN" if clientDN == nil then avi.vs.log("Missing client certificate DN") avi.http.response(400, {content_type="text/html"}, "Missing SSL client certificate") elseif clientDN ~= validDN then avi.vs.log("Client certificate DN doesn't match: " .. clientDN .. " != " .. validDN) avi.http.response(400, {content_type="text/html"}, "Invalid SSL client certificate") end |
The script above, applied to the HTTP Request event, extracts the DN field from the client certificate and stores it in the clientDN variable. The validDN variable contains instead the expected string.
Once verified that the client has actually passed a certificate, its DN is compared with the valid one and – if different – an HTTP 400 error code is returned to the client.
A line with the evidence of the error is also written in the Virtual Service log; you can view it in the dedicated tab:
it contains the two DNs (the one received from the client and the one expected):