For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Nov 27, 2012

Generate SHA1 thumbprint of incoming SSL cert

Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution?   ---------------   The F5 needs to generate an SHA1 thumbprint of th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 29, 2012
Here's a quick test to show the results: 


when CLIENTSSL_CLIENTCERT {

log local0. "Got [SSL::cert count] certs"

if {[SSL::cert 0] eq ""}{
log local0. "cert 0 empty"
} else {
binary scan [SSL::cert 0] H* whole_cert_hex
log local0. "\$whole_cert_hex: $whole_cert_hex"

binary scan [sha1 [SSL::cert 0]] H* fingerprint
log local0. "sha1: $fingerprint"

binary scan [md5 [SSL::cert 0]] H* fingerprint
log local0. "md5 manual: $fingerprint"

log local0. "md5 from X509::hash: [X509::hash [SSL::cert 0]]"
}
}

And the log results:

: sha1: 591fb5e98f012218dbe946780197e061206ab35f
: md5 manual: 39b06fdf22022ff0c25672cbee2263f1
: md5 from X509::hash: 39:b0:6f:df:22:02:2f:f0:c2:56:72:cb:ee:22:63:f1

And the openssl results for the same client cert:

 openssl x509 -in client1.example.com.crt -sha1 -noout -fingerprint
SHA1 Fingerprint=59:1F:B5:E9:8F:01:22:18:DB:E9:46:78:01:97:E0:61:20:6A:B3:5F

 openssl x509 -in client1.example.com.crt -md5 -noout -fingerprint
MD5 Fingerprint=39:B0:6F:DF:22:02:2F:F0:C2:56:72:CB:EE:22:63:F1

Aaron