Forum Discussion
ahmad_2312
Nimbostratus
NimbostratusRemove whiteSpace from the Certificate
Dears
we need to send the client certificate to our back-end server for authentication, but the server is expecting the certficate as the following (without whitespace)
MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAeFw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQwEgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNVBAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxMLUml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qGSxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl
while the F5 is sending the following:
MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP
MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp
bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe
Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw
EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV
BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML
Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd
1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG
SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl
i have tried many functions to do that but the space is still there
Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]]; [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]]; [X509::hash [SSL::cert $i]];"
set allcert "[X509::whole [SSL::cert $i]]"
log local0. "[IP::client_addr]:[TCP::client_port]"
log local0. $allcert
set thecert [findstr [X509::whole [SSL::cert $i]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
log local0. $thecert
set certnospace [string map -nocase {" " ""} $thecert]
log local0. "Test1 $certnospace"
regsub -all " " $thecert "" certnospace2
log local0. "Test2 $certnospace2"
}
Any Help
hoolioCirrostratus
Hi ahmad,
Are you using LWS (Linear White Space Click here) on the HTTP::header command? RFC2616 states each carriage return line feed should be replaced by the server with a single space:
ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
A CRLF is allowed in the definition of TEXT only as part of a header
field continuation. It is expected that the folding LWS will be
replaced with a single SP before interpretation of the TEXT value.
Can you include the part of the iRule where you're inserting the cert? Also, do the log lines show the spaces or just the output the server receives?
Aaron
ahmad_2312Thanx holio
this is the insertion part, can i use iRule to look for CRLF and remove it instead of using "lws" since i need to pass the cert to server without any spaces
when HTTP_REQUEST {
if { [SSL::cert count] > 0 } {
set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
HTTP::header insert WL-Proxy-SSL "true"
HTTP::header insert WL-Proxy-Client-Cert $thecert
}
}- ahmad_2312Both log lines and service receives are showing the spaces
- Kevin_Stewart
Employee
Ahmad,
Are you sure that you need to strip the cert header and footer? I just came across a similar situation and the answer was simply to b64encode the whole cert:set cert [b64encode [X509::whole [SSL::cert 0]]]
Kevin - ahmad_2312yes, i am very sure that this is what we need, even i tested that by bypass the cert as the following and it worked out and processed correctly by our weblogic back-end servers : Note that:
HTTP::header insert WL-Proxy-Client-Cert "MIIDKjCCApOgAwIBAgIDEAAFMA0GCSqGSIb3DQEBBAUAMG0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIEwZSaXlhZGgxDzANBgNVBAcTBlJpeWFkaDEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UE[to the end of the certificate]" - hoolioHi Ahmad,
Can you post anonymised log output from these portions of the iRule:
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]]; [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]]; [X509::hash [SSL::cert $i]];"
set allcert "[X509::whole [SSL::cert $i]]"
log local0. "[IP::client_addr]:[TCP::client_port]"
log local0. $allcert
set thecert [findstr [X509::whole [SSL::cert $i]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]
log local0. $thecert
set certnospace [string map -nocase {" " ""} $thecert]
log local0. "Test1 $certnospace"
regsub -all " " $thecert "" certnospace2
log local0. "Test2 $certnospace2"
Thanks,
Aaron - ahmad_2312Hi;
this is the log content:
Rule CertInHeader : 86.51.147.XX:28334: cert 0; subject=CN=Riyadh2test,OU=Riyadh2test,O=Riyadh2test,L=Riyadh2test,ST=Riyadh2test,C=SA; CN=GOSI Testing CA,OU=Testing,O=Testing,L=Riyadh,ST=Riyadh,C=SA; cert_serial=08; 88:d5:ca:f8:2f:c5:6c:3c:2e:aa:21:XX:4e:2b:f0:3d;
Rule CertInHeader : 86.51.147.XX:28334
Rule CertInHeader : -----BEGIN CERTIFICATE----- MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAs
Rule CertInHeader : MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0d
Rule CertInHeader : Test1 MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVB
Rule CertInHeader : Test2 MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVB - hoolioSorry, I should have noticed this before. It's probably carriage return and/or line feeds--not spaces--in the cert string. Can you try using string map to remove the whitespace?
set certnospace [string map -nocase {\n ""} $thecert]
or:
set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert]
Aaron - ahmad_2312Aaron You Are a Genius, you are right , it worked
thanks a lot 
Navin_65857Hi , can you please let me know fix, I am still getting space
