Forum Discussion
midhun_108442
Nimbostratus
NimbostratusCollecting Certificate information for the client request
Hi,
I am new to Irule feature, We are using a below Irule to get the certificate information for the Cleint request , but below request only provide the logs for successfull request , I need to change this irule as i required the logs about the certificate information for both Successfull or unsucessfull Certificate. could anyone help me on this . below is the irule .
when CLIENTSSL_CLIENTCERT {
set hsl [HSL::open -proto UDP -pool SYSLOG_514_POOL]
if { [SSL::cert count] > 0 } {
set ssl_cert [SSL::cert 0]
set errstr [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "The Client [IP::client_addr] connected with the SSL Client Certificate: [X509::subject $ssl_cert] [X509::issuer $ssl_cert] [X509::serial_number $ssl_cert] and This Certificate verification is $errstr"
HSL::send $hsl "The Client [IP::client_addr] connected with the SSL Client Certificate: [X509::subject $ssl_cert] and This Certificate verification is $errstr"
} else {
log local0. "The Certificate count is [SSL::cert count] and not received any SSL client certificate from [IP::client_addr]"
HSL::send $hsl "TCP Connection - Started, Time: $now1, The Certificate count is [SSL::cert count]. No SSL client certificate from the Client IP: [IP::client_addr]"
}
}
Regards,
Midhun P.K
9 Replies
- nitass
Employee
I need to change this irule as i required the logs about the certificate information for both Successfull or unsucessfull Certificate.isn't it already there?
HSL::send $hsl "The Client [IP::client_addr] connected with the SSL Client Certificate: [X509::subject $ssl_cert] and This Certificate verification is $errstr" 
midhun_108442Hi,
Yes, the above logs for Successful entry and i am getting the output as "certificate Verification is ok", but for the Certificate verification failure log like when the client is using unauthorized certificate , i am receving the logs message as "No SSL client certificate from the Client IP: [IP::client_addr]" No information about the Certificate they used, I need the information about the certificate the client used during their request, what modification required on irule for that.
Regards
Midhun P.K- midhun_108442Hi,
Yes, the above logs for Successful entry and i am getting the output as "certificate Verification is ok", but for the Certificate verification failure log like when the client is using unauthorized certificate , i am receiving the logs message as "No SSL client certificate from the Client IP: [IP::client_addr]" No information about the Certificate they used, I need the information about the certificate the client used during their request, what modification required on irule for that.
Regards
Midhun P.K - nitassthis is mine.
incorrect client certificate Mar 14 08:30:12 local/tmm info tmm[4950]: Rule myrule : The Client 172.28.19.251 connected with the SSL Client Certificate: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US CN=caroot.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US 01 and This Certificate verification is unable to get local issuer certificate not sending client certificate Mar 14 08:30:39 local/tmm info tmm[4950]: Rule myrule : The Certificate count is 0 and not received any SSL client certificate from 172.28.19.251 - Kevin_StewartHow would you describe an "unauthorized certificate"? Can you log the output of [SSL::verify_result] directly after the CLIENTSSL_CLIENTCERT event declaration?
when CLIENTSSL_CLIENTCERT { log local0. [SSL::verify_result] ... - midhun_108442Hi,
For Testing Purpose i used a client system with incorrect certificate and i am receiving the logs as below . Here i am not getting any information about the certificate which i used in client system it just provide the output that no certificate from the Client system.
"Rule HSL-LOG : The Certificate count is 0 and not received any SSL client certificate from 10.1.1.29 "
Insted of this i need to get the information about the certificate that client used with the above output,
I Even try with Mr. Kevin suggestion , but the output i am receiving for that is
"Rule HSL-LOG2 : 50 "
"Rule HSL-LOG2 : The Certificate count is 0 and not received any SSL client certificate from 10.1.1.29 "
Kindly help me on this - Kevin_StewartAnother question: assuming you have a trusted certificate authorities bundle applied to your client SSL profile, is the "incorrect" certificate issued by any of the CAs in the bundle?
- midhun_108442Dear Kevin,
We are providing the certificate to client issued by the CA which is applied to client SSL profile , Using that certificate client will initiate connectivity, But sometime by mistake client use different certificate(self signed or another CA certificate) during that time F5 will block that request by giving the output as "The Certificate count is 0 and not received any SSL client certificate from" .
I need to inform back to the client that they are using wrong Certificate , but the above logs will not provide the information about the certificate they used, so i required exact logs information with the incorrect certificate information .
Could you please help me to change the script accordingly,
Regards,
Midhun P.K - Kevin_StewartAhh, it's all starting to make more sense. Are you by chance only testing with IE? In my lab I can only get the "The Certificate count is 0" message with IE. In any case, there are a few things to consider:
1. If you simply want to prevent users from selecting the wrong certificate, based on issuer, then create and apply an Advertised Certificate Authorities bundle file. This injects root hints into the client certificate request that most browsers will honor to filter the list of certificate options presented to the client. So in this case your advertised list would only contain the CA certs that you want to accept.
2. Do you have your client SSL profile Client Certificate option set to "require"? If so, this performs a very restrictive verification process. You won't be able to return anything to the user about mismatched certificates because your SSL negotiation will have failed. If you want to send something back to the user, then you have to set the mode to Request and then make provisions in your iRule to capture verification errors (validation, wrong certificate, etc.).
