CLIENTSSL - iRule
CLIENTSSL - iRule
Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile?
CLIENTSSL_HANDSHAKE
CLIENTSSL_DATA
CLIENTSSL_CLIENTCERT
My goal is to find out the certificate details of a client machine without requiring or requesting a certificate. Is this possible?
I'm not able to see the requested details in the [SSL:: Payload] and I am unable to see it when I trigger a "Request" option in the Client SSL Profile.
When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.
Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html
The below Irule should help your requirement.
ltm rule CERT_DETAILS { when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0 } { if {[SSL::verify_result] == 0 }{ set subject [X509::subject [SSL::cert 0]] set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] set serial [X509::serial_number [SSL::cert 0]] set hash [X509::hash [SSL::cert 0]] log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash" } else { log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]" } } else { log local0. "Client - [IP::client_addr] provided no cert." } } }