Extracting SSL Certificate Issuer from Server Side Connection

Exactly Kevin. We have set up a Transparent SSL Forwarding Solution with the default action of SSL Bypass. However, due to the bug documented in the bug: id 673357 "SWG puts flow in intercept when session is not found", the SWG is still intercepting the SSL Session.

It happens when the APM Session is being created. This is solved by an iRule that manually creates the APM session in the CLIENT_ACCEPTED event.

So the signer of the certificate should by default, always be the original certificate authority.

Even with this iRule, we intermittently hit this problem. I have the exact same environment setup in my home and due to the low traffic amount, it happens very seldom. What I want is to have the BIG-IP log whenever the issuer is the SWG, meaning, we are hitting the bug. I can use that myself and also in the customer environment.

I have tried creating an iRule using the SSL::cert issuer command but the wiki says it's only applicable on the Client side which won't work in my case.

The data should be extractable from the SERVER_DATA event but with my limited iRule knowledge, it will be quite difficult to setup. Been Googling like crazy but only found examples from a Client Side perspective with standard commands.