Binary analysis of client certificate
Hello all,
For some reason, I am currently looking for a way to inspect SSL Client certificate during authentication on a LTM without a SSL profile. The ultimate goal is to be able to filtrate/log some specific field of the certificate.
I start by looking at this article : https://community.f5.com/t5/technical-forum/standard-vip-tcp-collect-tls-analysys-w-o-offload/m-p/223027
and this other one to read the certificate with HEX (originally this irules was for client cert)
I made some change to these originally posted irule and now manage to catch the tls exchange of the certificate, and even reading some of the text of the certificate. I wish to be able to read it more precisely if possible, if you can help.
Below is my current iRule :
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
#Get the TLS packet type and versions binary
#binary scan [TCP::payload] cH4Scc7S rtype sslver rlen type somth certlength
binary scan [TCP::payload] cH4Scc7S4c8cc rtype sslver rlen type somth certlength certpad1 certpad2 certversion
if { ( ${rtype} == 22 ) and ( ${type} == 11 ) } {
#This is a TLS ClientHello message (22 = TLS handshake, 1 = ClientHello)
log local0.info "Received a TLS ClientHello message rtype=${rtype}, type=${type} ${sslver} ${rlen} ${type} ${somth} ${certlength} ${certversion}"
binary scan [TCP::payload] H* hex
regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
log local0.info [binary format H* $dump]
}
TCP::release
TCP::collect
}
Cheers,
Sam