Forum Discussion

SamCo's avatar
Icon for Cirrus rankCirrus
Mar 25, 2022

Binary analysis of client certificate

Hello all,


For some reason, I am currently looking for a way to inspect SSL Client certificate during authentication on a LTM without a SSL profile. The ultimate goal is to be able to filtrate/log some specific field of the certificate.

I start by looking at this article :

and this other one to read the certificate with HEX (originally this irules was for client cert)

I made some change to these originally posted irule and now manage to catch the tls exchange of the certificate, and even reading some of the text of the certificate. I wish to be able to read it more precisely if possible, if you can help.

Below is my current iRule :


#Get the TLS packet type and versions binary
#binary scan [TCP::payload] cH4Scc7S rtype sslver rlen type somth certlength
binary scan [TCP::payload] cH4Scc7S4c8cc rtype sslver rlen type somth certlength certpad1 certpad2 certversion
if { ( ${rtype} == 22 ) and ( ${type} == 11 ) } {
#This is a TLS ClientHello message (22 = TLS handshake, 1 = ClientHello)
log "Received a TLS ClientHello message rtype=${rtype}, type=${type} ${sslver} ${rlen} ${type} ${somth} ${certlength} ${certversion}"
binary scan [TCP::payload] H* hex
regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
log [binary format H* $dump]




2 Replies

  • Hello, I've made something similar last year to extract a specific SSL extension (Type 0, SNI) and log it in ASCII format. It uses SSL:: iRule commands, and a procedure to convert HEX to ASCII.

    I attached code to this message. You might want to tune it.