For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 09, 2019
Solved

CLIENTSSL - iRule

CLIENTSSL - iRule   Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile?   CLIENTSSL_HANDSHAKE C...
devops
iRules
  • jaikumar_f5's avatar
    jaikumar_f5
    Dec 10, 2019

    When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

    Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

    The below Irule should help your requirement.

    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 10, 2019

If an application makes a request to the VIP to access the servers. Will the "Require" option force the machine to use it's certificate in it's cert store or will this just force to request it?

 

I am attempting to passively see what the client is passing if in fact it is passing a certificate.

  • 2019F5DevCentra's avatar
    2019F5DevCentra
    Icon for Cirrus rankCirrus
    Dec 10, 2019

    I tweaked the above statement to post the output for the Client Certificate.

     

    That solved what I was trying to get at. Thanks!

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Dec 11, 2019

    A require is like - REQUIRED. Meaning it is needed. So its a force setting asking the client to provide the certificate. The certificate could be anything from his cert store. Often it will be his machine certificate. Or in case the client machine would have installed multiple other app related certificates too. Also to note, here the SSL does not estabishes unless the cert is provided.

     

    Whereas the Request is like - making a REQUEST, if he gives, it logs. If he doesn't share, still it proceeds. Hope this helps.

     

    If you think the issue is solved, feel free to mark the thread closed as solution provided.