Forum Discussion

Philip_Jonsson_'s avatar
Philip_Jonsson_
Icon for Altocumulus rankAltocumulus
Oct 23, 2018

Extracting SSL Certificate Issuer from Server Side Connection

Hello!   I'm currently trying to build an iRule to extract the SSL Certificate Issuer from the Server Side Connection. All of the examples I have seen is based on the Client Side.   To give you...
application delivery
iRules
Secure Web Gateway
serverssl
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 24, 2018

The more I thought about this, the more I realized the layered iRule to extract the forged issuer name would be insanely complex and not so great for performance. So I came up with a less painful option that should still do the job. Originally you were asking to extract the value and compare it. In this simpler option, however, you can just look for the forged issuer value in the server's response.

This gets applied to a layered VIP in front of the SSLFWD VIP, and does not do any TLS processing.

when CLIENT_ACCEPTED {
    virtual [sslfwd vip name]
}
when SERVER_CONNECTED {
    TCP::collect
}
when SERVER_DATA {
    binary scan [TCP::payload] H* hex
    if { ( $hex starts_with "1603" ) and ( [regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex] ) } {
        log local0. "TEST: found server cert message"
        regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
        if { [binary format H* $dump] contains "f5demolabs.com" } {
            log local0. "TEST: found re-signed cert"
        } else {
            log local0. "TEST: didn't find re-signed cert"
        }
    }
    TCP::release
    TCP::collect
}

I've left the log statements in for testing. So basically, the server's Certificate message can come in the same packet as the ServerHello message, or can come afterwards. And since you don't know which will happen, you have to do a release and collect to keep digging into the payload. This isn't optimal, so you may also want to define a variable that gets set once you find what you're looking for so that you can skip any further collects.

binary scan [TCP::payload] H* hex

Grab the server's payload and convert to hex.

if { ( $hex starts_with "1603" ) and ( [regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex] ) } {

All SSL handshake messages will start with "1603" (hex), and "[regexp {1603[0-9]{2}[0-9a-z]{4}0b} $hex]" looks for a specific pattern in the dumped hex: 1603 + a 2-digit value corresponding to the TLS minor version + a 4-character hex value corresponding to the message length + "0b" indicating that this is a Certificate message.

regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump

Now that you've found this, use a version of the same regexp to pull all of the hex data in the payload to the end.

if { [binary format H* $dump] contains "f5demolabs.com" } {

Internally convert this hex to ascii and look for your local issuer CA string. If the cert wasn't forged, this won't be there.

Admittedly this isn't a particularly optimal iRule, but it's much better than trying to extract the issuer name from the TLS handshake.