Forum Discussion

John_Deckers's avatar
Icon for Nimbostratus rankNimbostratus
May 24, 2018

Is SSL::cert populated when using APM "On-Demand Cert Auth"?


I have configured client cert authentication using APM and its On-Demand Cert Auth action. I would like to retrieve the client certificate in an iRule event (HTTP_REQUEST) using SSL::cert command.

In the end, I am going to hash the certificate to produce the thumbprint. As I need to the binary form of the certificate, I will not use APM session variable for this.

if { [SSL::cert count] > 0 } {
   binary scan [sha1 [SSL::cert 0]] H* cert_thumbprint

Unfortunately, SSL::cert count remains 0 as if SSL::cert was not populated after the On-Demand action!? This issue does not happen when client cert authentication is performed right from a client ssl profile without APM.

Do I have to look to another event in the iRule to get an SSL::cert object populated? Something else?



4 Replies

  • Not an answer, but throwing it out there that I'm running into the same issue. I cannot seem to find a way to delay the certificate request, while still being able to read the certificate information in an irule.

  • For anyone else that comes along this thread, I was unable to access the certificate through `SSL::cert` when the SSL profile was set to ignore the client certificate... We wanted to delay the cert request so we used the On-Demand action in an APM policy.


    In our case, I was able to successfully retrieve the certificate from the APM variables, such as the following:

    set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]

    To get the thumbprint, I had to convert the PEM to DER, then B64 encode/decode, and then I was able to use the code from the OP above.

  • Hi There,


    I'm working on something similar and can't get a good solution either.


     I tried "session.ssl.cert.whole" too, but I don't get the same SHA-1 hash when doing it via [SSL::cert 0].


    When logging the APM variable, via APM or via iRule, the whole certificate is not there, almost 50% is missing, so I'm wondering if there a limitation in variable length which can be handle.

  • Hey !

    I had the same issue with the thumbprint not matching... I was able to get it to work, but im not proud about the method though (and I havent looked into _why_ this works). I planned to come back to this to delve deeper to understand why this works, but in the meantime, here's what worked for me:

    set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]
    set cert [b64decode [b64encode [X509::pem2der $cert_pem]]]
    set cert_thumbprint_binary [sha1 $cert]
    binary scan $cert_thumbprint_binary H* cert_thumbprint_hex

    I have absolutely NO idea why converting the DER certificate to B64 and back again causes the correct thumbprint/sha1 to be generated.... But nevertheless, after doing the encode/decode, I'm now getting the same hex thumbprint that windows and other libraries generate.

    With respect to the variable getting chopped off, I'm pretty new to BIG-IP so I can't speculate much on that... Sorry!