For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Nov 27, 2012

Generate SHA1 thumbprint of incoming SSL cert

Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution?   ---------------   The F5 needs to generate an SHA1 thumbprint of th...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 28, 2012
e.g. 

[root@ve10:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "ca.crt"
   client cert ca "ca.crt"
   peer cert mode require
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  if { [SSL::cert count] > 0 } {
    HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]

    binary scan [sha1 [SSL::cert 0]] H* cert_hex
    HTTP::header insert ClientCert-Thumbprint $cert_hex
  }
}
}

 client1 certificate

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(35670) <-> 172.28.19.79(443)
1 1  1354080555.1567 (0.0241)  C>S SSLv2 compatible client hello
1 2  1354080555.1568 (0.0000)  S>CV3.1(81)  Handshake
1 3  1354080555.1568 (0.0000)  S>CV3.1(953)  Handshake
1 4  1354080555.1568 (0.0000)  S>CV3.1(114)  Handshake
1 5  1354080555.1568 (0.0000)  S>CV3.1(4)  Handshake
1 6  1354080555.2336 (0.0768)  C>SV3.1(1489)  Handshake
1 7  1354080555.2336 (0.0000)  C>SV3.1(262)  Handshake
1 8  1354080555.2336 (0.0000)  C>SV3.1(518)  Handshake
1 9  1354080555.2336 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1354080555.2336 (0.0000)  C>SV3.1(36)  Handshake
1 11 1354080555.2556 (0.0219)  S>CV3.1(1)  ChangeCipherSpec
1 12 1354080555.2556 (0.0000)  S>CV3.1(36)  Handshake
1 13 1354080555.2567 (0.0011)  C>SV3.1(175)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.79
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(35670) <-> 200.200.200.101(80)
1354080555.2599 (0.0013)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
SSLClientCertSubject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientCert-Thumbprint: 9240c3ccc820c3506c271517c6d5f35d2337c57e

---------------------------------------------------------------

 client2 certificate

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(35671) <-> 172.28.19.79(443)
1 1  1354080624.7908 (0.0210)  C>S SSLv2 compatible client hello
1 2  1354080624.7909 (0.0000)  S>CV3.1(81)  Handshake
1 3  1354080624.7909 (0.0000)  S>CV3.1(953)  Handshake
1 4  1354080624.7909 (0.0000)  S>CV3.1(114)  Handshake
1 5  1354080624.7909 (0.0000)  S>CV3.1(4)  Handshake
1 6  1354080624.9088 (0.1179)  C>SV3.1(1489)  Handshake
1 7  1354080624.9088 (0.0000)  C>SV3.1(262)  Handshake
1 8  1354080624.9088 (0.0000)  C>SV3.1(518)  Handshake
1 9  1354080624.9088 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1354080624.9088 (0.0000)  C>SV3.1(36)  Handshake
1 11 1354080624.9294 (0.0206)  S>CV3.1(1)  ChangeCipherSpec
1 12 1354080624.9294 (0.0000)  S>CV3.1(36)  Handshake
1 13 1354080624.9308 (0.0013)  C>SV3.1(175)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.79
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(35671) <-> 200.200.200.101(80)
1354080624.9328 (0.0017)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
SSLClientCertSubject: CN=client2.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientCert-Thumbprint: 96d093f76eb7634b377374253762b00aef036a7f

---------------------------------------------------------------