For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Nov 27, 2012

Generate SHA1 thumbprint of incoming SSL cert

Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution?   ---------------   The F5 needs to generate an SHA1 thumbprint of th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 29, 2012
HTTP::header replace will only affect the last header instance so an attacker could still inject a header by setting more than one. I put in a feature request to create an 'HTTP::header replace-all $name $value' command which would replace all existing $name headers with one new value.

For now, if you want to guarantee that no client set headers are included in the proxied request to the server, you can do this: 


when HTTP_REQUEST {
    if { [SSL::cert count] > 0 } {
        HTTP::header remove SSLClientCertSubject
        HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]

        binary scan [sha1 [SSL::cert 0]] H* cert_hex
        HTTP::header remove ClientCertThumbprint
        HTTP::header insert ClientCertThumbprint $cert_hex
    }
}

Aaron