F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Nov 27, 2012

Generate SHA1 thumbprint of incoming SSL cert

Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution?   ---------------   The F5 needs to generate an SHA1 thumbprint of th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 28, 2012
HTTP::header replace will only affect the last header instance so an attacker could still inject a header by setting more than one. I put in a feature request to create an 'HTTP::header replace-all $name $value' command which would replace all existing $name headers with one new value.

For now, if you want to guarantee that no client set headers are included in the proxied request to the server, you can do this: 


when HTTP_REQUEST {
    if { [SSL::cert count] > 0 } {
        HTTP::header remove SSLClientCertSubject
        HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]

        binary scan [sha1 [SSL::cert 0]] H* cert_hex
        HTTP::header remove ClientCertThumbprint
        HTTP::header insert ClientCertThumbprint $cert_hex
    }
}

Aaron