Forum Discussion

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 09, 2019

CLIENTSSL - iRule

CLIENTSSL - iRule   Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile?   CLIENTSSL_HANDSHAKE C...
devops
iRules
  • jaikumar_f5's avatar
    jaikumar_f5
    Dec 10, 2019

    When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.

    Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html

    The below Irule should help your requirement.

    ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
    set subject [X509::subject [SSL::cert 0]]
    set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
    set serial [X509::serial_number [SSL::cert 0]]
    set hash [X509::hash [SSL::cert 0]]
    log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus

If an application makes a request to the VIP to access the servers. Will the "Require" option force the machine to use it's certificate in it's cert store or will this just force to request it?

 

I am attempting to passively see what the client is passing if in fact it is passing a certificate.

2019F5DevCentra's avatar
2019F5DevCentra
Icon for Cirrus rankCirrus
Dec 10, 2019

I tweaked the above statement to post the output for the Client Certificate.

 

That solved what I was trying to get at. Thanks!