Forum Discussion
George_San_Pedr
Altostratus
AltostratusX509::whole returning incomplete cert
Hi,
I have the following I rule so I can catch the certs from my SSL clients:
when CLIENTSSL_CLIENTCERT {
log local0. "Certificate: [X509::whole [SSL::cert 0]]"
}
However when I review the output of /var/log/ltm I see only *part* of the clientcert:
-----BEGIN
CERTIFICATE-----
MIIDejCCAuOgAwIBAgIQEpoaK4m/0QEJmx4yjvnLXDANBgkqhkiG9w0BAQQFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyNTE5NDM0MVoXDTA3MDUyMTE0MjUxM1ow
fzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
dG8xMTAvBgNVBAoTKExpYmVydHkgUmVnaXN0cnkgTWFuYWdlbWVudCBTZXJ2aWNl
cyBDby4xGTAXBgNVBAMTEG90ZTEuYWZpbGlhcy5uZXQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAOd9LniHxfzh40XAO/fMzXtxRYU8jHZNskdhC4KHBDyRYRKR
zj0s2GBjU8IvYF2MfP61QLoJyqInypfExZlls8xaV3/zaTCC5RyAfJiG7bofDw9F
WSoQnzzRKrEI28u7kzrV+5ZzkCZ73bKJpdJR1NZ0hBJ7ggF7YUCBVw43n1N/AgMB
AAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEAGA1UdHwQ5
MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQcmVtaXVtU2Vy
dmVyQ0EuY3JsMDIGCCs
The complete cert is actually:
-----BEGIN CERTIFICATE-----
MIIDejCCAuOgAwIBAgIQEpoaK4m/0QEJmx4yjvnLXDANBgkqhkiG9w0BAQQFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyNTE5NDM0MVoXDTA3MDUyMTE0MjUxM1ow
fzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u
dG8xMTAvBgNVBAoTKExpYmVydHkgUmVnaXN0cnkgTWFuYWdlbWVudCBTZXJ2aWNl
cyBDby4xGTAXBgNVBAMTEG90ZTEuYWZpbGlhcy5uZXQwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAOd9LniHxfzh40XAO/fMzXtxRYU8jHZNskdhC4KHBDyRYRKR
zj0s2GBjU8IvYF2MfP61QLoJyqInypfExZlls8xaV3/zaTCC5RyAfJiG7bofDw9F
WSoQnzzRKrEI28u7kzrV+5ZzkCZ73bKJpdJR1NZ0hBJ7ggF7YUCBVw43n1N/AgMB
AAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEAGA1UdHwQ5
MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQcmVtaXVtU2Vy
dmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j
c3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALJn
EerRVntwS/Eo+q69qY+OwHY74FnnNViAX6503XgxlxUcBm1VwbPyop6lJXYveNxL
BKzUAiDODQbxbWYD3d+s2xo2M0Np6saeSa+wj4/ZlP8qpxREd8z6c7tK5Sy4B3ee
8QAalvUMjMCf6lg41tzpKkAMFaOr9n4KYC7R2RFF
-----END CERTIFICATE-----
Any ideas?
- This is caused by a limit of 1024 bytes in the logging facility.
George_San_PedrHi,
I already tried to increase the value of log_msg_size in the /etc/syslog-ng/syslog-ng.conf file, restarted the syslog process and still no luck. Perhaps the 1024 limit is harcoded? if so how can I solve the issue?- Yes, it is hardcoded to 1024 in the TMM.
I'm not sure what you need this for, but another idea is this:
Create a global Tcl array to contain your log entries and then basically append them to the array instead of logging them with log.
Then, create a separate internal vip with a special rule (I called it retrieve_client_certs). This rule will output the contents of the Tcl array and clear it. You could then use curl, wget, or a similar utility to poll the list. The only disadvantage would be if the system goes down, you'd potentially lose whatever was currently in the array. However, you also have this problem to some degree with using the log facility since it is not reliable.
Here's a sample (in bigip.conf form):rule save_client_certs { when CLIENTSSL_CLIENTCERT { set ::client_certs($::cert_count) "[clock format [clock sec] -format {%d-%b-%Y %H:%M:%S}] Client: [IP::remote_addr] Certificate: [X509::whole [SSL::cert 0]]" incr ::cert_count } } rule retrieve_client_certs { when RULE_INIT { array set client_certs {} set cert_count 0 set last_time [clock sec] } when HTTP_REQUEST { set body "Client certs since: [clock format $::last_time -format {$d-%b-%Y %H:%M:%S}]\r\n \r\n" foreach {index cert} [array get ::client_certs] { append body "$cert\r\n" } append body "" HTTP::respond 200 content "Recent Client Certificates$body" array unset ::client_certs set ::cert_count 0 set ::last_time [clock sec] } }
