For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adrian_Hockey_1's avatar
Adrian_Hockey_1
Icon for Nimbostratus rankNimbostratus
Jan 25, 2013

Read SHA1 HASH From Client SSL Cert

Hi,

 

 

I am using this sample to return the thumbprint of an SSL certificate. It works fine but returns the MD5 has of the cert and I would prefer to get the SHA1 hash instead. Is this possible?

 

set cert_hash [X509::hash [SSL::cert 0]]

 

 

Many thanks!

 

application delivery
dev
devops
iRules

4 Replies

  • Adrian_Hockey_1's avatar
    Adrian_Hockey_1
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2013
    Hi Steve,

     

     

    I'm not sure that is what I want, if I use this:

     

     

    set SHA1ssl_cert [SSL::cert 0]

     

    set SHA1_hash [b64encode [sha1 $SHA1ssl_cert]]

     

    log local0. "SHA1 Thumbprint presented is = $SHA1_hash"

     

     

    The result is not the SHA1 thumprint of my SSL cert?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 25, 2013
    have you tried the one which Kevin and Aaron suggested? 

    binary scan [sha1 [SSL::cert 0]] H* fingerprint
log local0. "sha1: $fingerprint"
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 28, 2013
    Yes, this should work: 

    
when HTTP_REQUEST {
    HTTP::header remove SSLClientCertSubject
    HTTP::header remove ClientCertThumbprint
    if { [SSL::cert count] > 0 } {
        HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]
        binary scan [sha1 [SSL::cert 0]] H* cert_hex
        HTTP::header insert ClientCertThumbprint $cert_hex
    }
}

    Aaron