Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 09, 2019

CLIENTSSL - iRule

CLIENTSSL - iRule

 

Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile?

 

CLIENTSSL_HANDSHAKE

CLIENTSSL_DATA

CLIENTSSL_CLIENTCERT

 

My goal is to find out the certificate details of a client machine without requiring or requesting a certificate. Is this possible?

I'm not able to see the requested details in the [SSL:: Payload] and I am unable to see it when I trigger a "Request" option in the Client SSL Profile.

devops
iRules
  • jaikumar_f5's avatar
    jaikumar_f5
    Dec 10, 2019

    When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

    Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

    The below Irule should help your requirement.

    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
  • 2019F5DevCentra's avatar
    2019F5DevCentra
    Icon for Cirrus rankCirrus
    Dec 11, 2019
    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}

    Was my final Solution - Thanks!

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for MVP rankMVP
    Dec 10, 2019

    When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

    Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

    The below Irule should help your requirement.

    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
  • 2019F5DevCentra's avatar
    2019F5DevCentra
    Icon for Cirrus rankCirrus
    Dec 10, 2019

    If an application makes a request to the VIP to access the servers. Will the "Require" option force the machine to use it's certificate in it's cert store or will this just force to request it?

     

    I am attempting to passively see what the client is passing if in fact it is passing a certificate.

    • 2019F5DevCentra's avatar
      2019F5DevCentra
      Icon for Cirrus rankCirrus
      Dec 10, 2019

      I tweaked the above statement to post the output for the Client Certificate.

       

      That solved what I was trying to get at. Thanks!

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP
      Dec 11, 2019

      A require is like - REQUIRED. Meaning it is needed. So its a force setting asking the client to provide the certificate. The certificate could be anything from his cert store. Often it will be his machine certificate. Or in case the client machine would have installed multiple other app related certificates too. Also to note, here the SSL does not estabishes unless the cert is provided.

       

      Whereas the Request is like - making a REQUEST, if he gives, it logs. If he doesn't share, still it proceeds. Hope this helps.

       

      If you think the issue is solved, feel free to mark the thread closed as solution provided.