Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 09, 2019

CLIENTSSL - iRule

CLIENTSSL - iRule   Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile?   CLIENTSSL_HANDSHAKE C...
devops
iRules
  • jaikumar_f5's avatar
    jaikumar_f5
    Dec 10, 2019

    When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

    Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

    The below Irule should help your requirement.

    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
jaikumar_f5's avatar
jaikumar_f5
Icon for MVP rankMVP
Dec 10, 2019

When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

The below Irule should help your requirement.

ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}