Is SSL::cert populated when using APM "On-Demand Cert Auth"?

Question

Hi!
I have configured client cert authentication using APM and its On-Demand Cert Auth action. I would like to retrieve the client certificate in an iRule event (HTTP_REQUEST) using SSL::cert command.
In the end, I am going to hash the certificate to produce the  thumbprint. As I need to the binary form of the certificate, I will not use APM session variable for this.

if { [SSL::cert count] &gt; 0 } {
   binary scan [sha1 [SSL::cert 0]] H* cert_thumbprint
}

Unfortunately, SSL::cert count remains 0 as if SSL::cert was not populated after the On-Demand action!? This issue does not happen when client cert authentication is performed right from a client ssl profile without APM.
Do I have to look to another event in the iRule to get an SSL::cert object populated? Something else?
Regards,
John.

jared_shields · Answer

Not an answer, but throwing it out there that I'm running into the same issue. I cannot seem to find a way to delay the certificate request, while still being able to read the certificate information in an irule.

jared_shields · Answer

For anyone else that comes along this thread, I was unable to access the certificate through `SSL::cert` when the SSL profile was set to ignore the client certificate... We wanted to delay the cert request so we used the On-Demand action in an APM policy.

In our case, I was able to successfully retrieve the certificate from the APM variables, such as the following:

set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]

To get the thumbprint, I had to convert the PEM to DER, then B64 encode/decode, and then I was able to use the code from the OP above.

xavier_baugniet · Answer

Hi There,&nbsp;I'm working on something similar and can't get a good solution either.&nbsp;&nbsp;I tried "session.ssl.cert.whole" too, but I don't get the same SHA-1 hash when doing it via [SSL::cert 0].&nbsp;When logging the APM variable, via APM or via iRule, the whole certificate is not there, almost 50% is missing, so I'm wondering if there a limitation in variable length which can be handle.

jared_shields · Answer

Hey !  I had the same issue with the thumbprint not matching... I was able to get it to work, but im not proud about the method though (and I havent looked into _why_ this works).  I planned to come back to this to delve deeper to understand why this works, but in the meantime, here's what worked for me:set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]
set cert [b64decode [b64encode [X509::pem2der $cert_pem]]]
set cert_thumbprint_binary [sha1 $cert]
binary scan $cert_thumbprint_binary H* cert_thumbprint_hexI have absolutely NO idea why converting the DER certificate to B64 and back again causes the correct thumbprint/sha1 to be generated.... But nevertheless, after doing the encode/decode, I'm now getting the same hex thumbprint that windows and other libraries generate.With respect to the variable getting chopped off, I'm pretty new to BIG-IP so I can't speculate much on that... Sorry!

Forum Discussion

Is SSL::cert populated when using APM "On-Demand Cert Auth"?

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SSL-Cert

SSL Cert expiration Tracker

LTM HA Pair SSL Certs

iRule to accept client then SSL cert validation

extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS