Forum Discussion
NimbostratusSSL::cert count is always 0 when root cert is missing
When logging information about handshakes I would like to log the subject information from the incoming cert. However, these solutions below will not print any certificate information at all. We think it is because the clients root certificate is not in the trust store. But shouldn't it then be able to at least print the root certifications subject information?
when CLIENTSSL_CLIENTCERT {
if { [SSL::verify_result] != 0 }{
log local0. "[getfield [IP::client_addr] "%" 1] $connectport Bad cert - [X509::verify_cert_error_string [SSL::verify_result]] using client certificate: [X509::subject[SSL::cert 0]]"
SSL::session invalidate
reject
}
}
These are from two different iRules. Output is blank after "using client certificate:".
when CLIENTSSL_HANDSHAKE {
set debug 2
Check if client presented a cert after it was requested/required
if {[SSL::cert count] > 0}{
Client presented at least one cert. The actual client cert should always be first.
if {$debug > 1}{
Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]] [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
}
}
} else {
if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
}
The output is "No client cert found!" for this one.
Is it possible that the SSL::cert list is not populated with the information because the certificate is unverified?
1 Reply
- boneyard
MVP
you are working with the client certificate, you only show the send client certificate info. in my experience is that you only see one certificate. so never any root or intermediate.
are you 100% sure you are sending a client cert? the fact you don't set an advertised CA might be of influence here.
