For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Derek_Nelson_10's avatar
Derek_Nelson_10
Icon for Nimbostratus rankNimbostratus
Aug 24, 2005

Problem with Certificate Hash verification

Hi all.     I'm having a problem with verifying connections to a particular proxy that "requires" a client cert. The proxy is inserting the Certificate Serial Number and Certificate Hash into th...
application delivery
dev
devops
iRules
v4
Derek_Nelson_10's avatar
Derek_Nelson_10
Icon for Nimbostratus rankNimbostratus
Sep 12, 2005
Thanks mmac.

 

 

I'd just figured out the problem yesterday actually and hadn't got around to posting the fix. I managed to capture the hash by using an "ssldump -AnP -i internal -k cert.key -p password | grep SSLC" command

 

 

Thanks for the help - this would have made the troubleshooting a lot easier! I'll incorporate the concatenation into my logs. It seems not to interpret the ${client_addr} for some reason, but if I do multiple log entries it seems to work OK.

 

 

The problem I had was I was trying to compare the md5 hash of the PEM certificate. It appears that browsers "present" the certs in DER format, the BIG-IP then md5 hashes that. The hash is also converted to upper-case hex with colons after every 2 characters. Unlike the Serial Number, which is in a similar format, but in lower-case hex.

 

 

Cheers,

 

- Derek.