Forum Discussion
2019F5DevCentra
Dec 09, 2019Cirrus
CLIENTSSL - iRule
CLIENTSSL - iRule Is there a method to acquire Certificate Details Subject, Serial, and Hash Values without having to trigger the request in the Client SSL Profile? CLIENTSSL_HANDSHAKE C...
- Dec 10, 2019
When you set the option to request, its not a force method. Its more of like optional. You have to set to require to make it forced option. You can refer the peer-cert-mode options through KB article in depth.
Refer the cloud docs for extracting more fields: https://clouddocs.f5.com/api/irules/X509.html
The below Irule should help your requirement.
ltm rule CERT_DETAILS { when CLIENTSSL_CLIENTCERT { if {[SSL::cert count] > 0 } { if {[SSL::verify_result] == 0 }{ set subject [X509::subject [SSL::cert 0]] set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","] set serial [X509::serial_number [SSL::cert 0]] set hash [X509::hash [SSL::cert 0]] log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash" } else { log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]" } } else { log local0. "Client - [IP::client_addr] provided no cert." } } }
2019F5DevCentra
Dec 11, 2019Cirrus
ltm rule CERT_DETAILS {
when CLIENTSSL_CLIENTCERT {
if {[SSL::cert count] > 0 } {
if {[SSL::verify_result] == 0 }{
set subject [X509::subject [SSL::cert 0]]
set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
set serial [X509::serial_number [SSL::cert 0]]
set hash [X509::hash [SSL::cert 0]]
log local0. "Client certificate details --> SUBJECT= $subject, COMMON NAME= $common_name, SERIAL= $serial, HASH= $hash"
} else {
set subject [X509::subject [SSL::cert 0]]
set common_name [findstr [X509::subject [SSL::cert 0]] "CN=" 3 ","]
set serial [X509::serial_number [SSL::cert 0]]
set hash [X509::hash [SSL::cert 0]]
log local0. "Client - [IP::client_addr] has provided an INVALID client certificate: [X509::verify_cert_error_string [SSL::verify_result]]"
}
} else {
log local0. "Client - [IP::client_addr] provided no cert."
}
}
}
Was my final Solution - Thanks!
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects