logging Subject Server Certificate -in case Server side profile

This should work;

when SERVERSSL_HANDSHAKE {
 set subject_details [X509::subject [SSL::cert 0]]
 log local0. "$subject_details"
}

You might want to check for the existence of the SSL certificate like so;

when SERVERSSL_HANDSHAKE {
 if { [SSL::cert 0] eq "" } {
  No SSL certificate present
  return
 } 
 else {
  set subject_details [X509::subject [SSL::cert 0]]
  log local0. "$subject_details"
 }
}

hi Guys

 

 

Thnx for response i tried but i am getting below error:

 

 

Dec 3 10:16:19 local/tmm5 err tmm5[6634]: 01220001:3: TCL error: cert_check_client_servere - while executing "X509::subject [SSL::cert 0]"

 

 

===below is my irule========

 

when SERVERSSL_HANDSHAKE {

 

set Ssubject_dn [X509::subject [SSL::cert 0]]

 

log "Server Certificate Received: $Ssubject_dn"

 

set Sv_result [X509::verify_cert_error_string [SSL::verify_result]]

 

log "Server Certificate verification result: $Sv_result"

 

 

}

 

SERVERSSL_HANDSHAKE:- Triggered when a server-side SSL handshake is completed.

 

But here we need state, which just before completion of ssl handshake.

SSL::cert is not valid on server-side.

 

 

SSL::cert

 

Returns the X509 SSL certificate at the specified index in the peer certificate chain, where index is a value greater than or equal to zero. A value of zero denotes the first certificate in the chain, a value of one denotes the next, and so on. This command is currently applicable only under a client-side context and returns an error within a server-side context.

SSL::cert

 

https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx

 

 

so, i understand you have to collect tcp payload and parse certificate subnet by yourself. it could be something similar to what Colin and Joel have done in article below.

 

 

Multiple Certs, One VIP: TLS Server Name Indication via iRules by Colin

 

https://devcentral.f5.com/tutorials/tech-tips/multiple-certs-one-vip-tls-server-name-indication-via-irules