Forum Discussion

Derek_Nelson_10's avatar
Derek_Nelson_10
Icon for Nimbostratus rankNimbostratus
Aug 24, 2005

Problem with Certificate Hash verification

Hi all.

 

 

I'm having a problem with verifying connections to a particular proxy that "requires" a client cert. The proxy is inserting the Certificate Serial Number and Certificate Hash into the HTTP Header.

 

 

Trying to use this iRule:

 

 

if (http_header("SSLClientCertSerialNumber") == one of Cert_SN and http_header("SSLClientCertHash") == one of Cert_Hash) {

 

log "MutualSSL accepted from:${client_addr}"

 

use pool web-pool

 

}

 

else {

 

log "MutualSSL Denied from:${client_addr}"

 

discard

 

}

 

 

Class Cert_Hash String

 

XX:YY:ZZ:C2:9A:B9:B5:20:BE:DA:1E:3F:C7:A8:A6:29

 

XXYYZZC29AB9B520BEDA1E3FC7A8A629

 

xx:yy:zz:c2:9a:b9:b5:20:be:da:1e:3f:c7:a8:a6:29

 

 

Cert_SN String

 

xx:yy:zz:44:91:79:b3:ae:7e:9d:6c:49:22:c2:6a:ef

 

xx:yy:zz:39:b1:7a:f3:2c:29:e7:00:64:62:a5:86:b6

 

 

(xyz's inserted manually here...)

 

 

Currently none of the hashes above work, and the serial numbers do work. I checked this by removing the appropriate condition in the rule individually.

 

 

SOL1910 from ASK F5 KB shows the hash format as above. I have tried (as you can see) both upper and lower case as the article shows lower case for serial numbers but upper case for the hashes. Anyone know if this is case sensitive?

 

 

I have got the hashes by exporting the certificate in DER, Base64 PEM, and PKCS formats and tried all the separate hashes (using the command "md5 certificate.crt" and converting the format inserting the colons) to no avail.

 

 

What I'm trying to achieve is to restrict my "mutual SSL" B2B connection to only a select few certificates, rather than allowing any certificate signed by a specific CA like in the ca-bundle.crt (Client Trusted CAs File)...

 

 

Thanks,

 

- Derek.

 

application delivery
dev
devops
iRules
v4

2 Replies

  • Martin_Machacek's avatar
    Martin_Machacek
    Historic F5 Account
    Sep 12, 2005
    Derek,

    to troubleshoot your problem add to your rule logging of the cert hash extracted from the header, like this:

    
if (http_header("SSLClientCertSerialNumber") == one of Cert_SN and     
http_header("SSLClientCertHash") == one of Cert_Hash) {
  log "MutualSSL accepted from:${client_addr} hash: " + http_header("SSLClientCertHash")
  use pool web-pool
}
else {
  log "MutualSSL Denied from:${client_addr} hash: " + http_header("SSLClientCertHash")
  discard
}

    That will allow you to find out what you need to match.
  • Derek_Nelson_10's avatar
    Derek_Nelson_10
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2005
    Thanks mmac.

     

     

    I'd just figured out the problem yesterday actually and hadn't got around to posting the fix. I managed to capture the hash by using an "ssldump -AnP -i internal -k cert.key -p password | grep SSLC" command

     

     

    Thanks for the help - this would have made the troubleshooting a lot easier! I'll incorporate the concatenation into my logs. It seems not to interpret the ${client_addr} for some reason, but if I do multiple log entries it seems to work OK.

     

     

    The problem I had was I was trying to compare the md5 hash of the PEM certificate. It appears that browsers "present" the certs in DER format, the BIG-IP then md5 hashes that. The hash is also converted to upper-case hex with colons after every 2 characters. Unlike the Serial Number, which is in a similar format, but in lower-case hex.

     

     

    Cheers,

     

    - Derek.