The more I thought about this, the more I realized the layered iRule to extract the forged issuer name would be insanely complex and not so great for performance. So I came up with a less painful option that should still do the job. Originally you were asking to extract the value and compare it. In this simpler option, however, you can just look for the forged issuer value in the server's response.
This gets applied to a layered VIP in front of the SSLFWD VIP, and does not do any TLS processing.
when CLIENT_ACCEPTED {
virtual [sslfwd vip name]
}
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
binary scan [TCP::payload] H* hex
if { ( $hex starts_with "1603" ) and ( [regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex] ) } {
log local0. "TEST: found server cert message"
regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
if { [binary format H* $dump] contains "f5demolabs.com" } {
log local0. "TEST: found re-signed cert"
} else {
log local0. "TEST: didn't find re-signed cert"
}
}
TCP::release
TCP::collect
}
I've left the log statements in for testing. So basically, the server's Certificate message can come in the same packet as the ServerHello message, or can come afterwards. And since you don't know which will happen, you have to do a release and collect to keep digging into the payload. This isn't optimal, so you may also want to define a variable that gets set once you find what you're looking for so that you can skip any further collects.
binary scan [TCP::payload] H* hex
Grab the server's payload and convert to hex.
if { ( $hex starts_with "1603" ) and ( [regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex] ) } {
All SSL handshake messages will start with "1603" (hex), and "[regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex]" looks for a specific pattern in the dumped hex: 1603 + a 2-digit value corresponding to the TLS minor version + a 4-character hex value corresponding to the message length + "0b" indicating that this is a Certificate message.
regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
Now that you've found this, use a version of the same regexp to pull all of the hex data in the payload to the end.
if { [binary format H* $dump] contains "f5demolabs.com" } {
Internally convert this hex to ascii and look for your local issuer CA string. If the cert wasn't forged, this won't be there.
Admittedly this isn't a particularly optimal iRule, but it's much better than trying to extract the issuer name from the TLS handshake.