DataScript: avi.ssl.client_cert

DataScript

New API Arguments avi.ssl.client_cert( [[avi.CLIENT_CERT] [, avi.CLIENT_CERT_FINGERPRINT] [, avi.CLIENT_CERT_SUBJECT] [, avi.CLIENT_CERT_ISSUER] [, avi.CLIENT_CERT_SERIAL][, avi.CLIENT_CERT_NOTVALIDBEFORE] [, avi.CLIENT_CERT_NOTVALIDAFTER] [, avi.CLIENT_CERT_VERSION][, avi.CLIENT_CERT_SIGALG] ] )
Description Returns the client certificate in the PEM format for an established SSL connection. Optional parameters will filter the fields returned from the client certificate.
Events HTTP_REQ
HTTP_RESP
Parameters When no argument or `avi.CLIENT_CERT` is specified, returns the client certificate in the PEM format for an established SSL connection from the client to the virtual service, with each line except the first prepended with the tab character.
  • avi.CLIENT_CERT_NOTVALIDBEFORE: Returns the not valid before time from the client certificate
  • avi.CLIENT_CERT_NOTVALIDAFTER: Returns the not valid after time from the client certificate
  • avi.CLIENT_CERT_VERSION: Returns the version number of the client certificate
  • avi.CLIENT_CERT_SIGALG: Returns the signature algorithm of the client certificate
  • avi.CLIENT_CERT_SUBJECT: Returns the subject DN string
  • avi.CLIENT_CERT_ISSUER: Returns the issuer DN string
  • avi.CLIENT_CERT_SERIAL: Returns the serial number
  • avi.CLIENT_CERT_FINGERPRINT: Returns the SHA1 fingerprint (hash) of the cert
    • Note: The args `avi.CLIENT_CERT_NOTVALIDBEFORE`, `avi.CLIENT_CERT_NOTVALIDAFTER`, `avi.CLIENT_CERT_VERSION`, `avi.CLIENT_CERT_SIGALG` are introduced in Avi Vantage version 20.1.5.
Returns Up to nine arguments, pertaining to the client cert and its fields.
Example 1 If the cert's issuer isn't correct, add the issuer to a header and forward to a quarantine server pool.

 if avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER) ~=
    "/C=US/O=foo/OU=www.foo.com/CN=www.foo.com/email=admin@foo.com" then
    avi.http.add_header("client_cert_issuer", 
       avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER))
    avi.pool.select("Quarantine-Pool")
 end
Example 2 Logs the client cert attributes for the SSL connection.
if avi.http.secure() then -- test if the connection is secure
   fingerprint = avi.ssl.client_cert(avi.CLIENT_CERT_FINGERPRINT)
   avi.vs.log(fingerprint)
end