For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_San_Pedr's avatar
George_San_Pedr
Icon for Altostratus rankAltostratus
Aug 29, 2006

X509::whole returning incomplete cert

Hi,

 

 

I have the following I rule so I can catch the certs from my SSL clients:

 

 

when CLIENTSSL_CLIENTCERT {

 

log local0. "Certificate: [X509::whole [SSL::cert 0]]"

 

}

 

 

However when I review the output of /var/log/ltm I see only *part* of the clientcert:

 

 

-----BEGIN

 

CERTIFICATE-----

 

MIIDejCCAuOgAwIBAgIQEpoaK4m/0QEJmx4yjvnLXDANBgkqhkiG9w0BAQQFADCB

 

zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ

 

Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE

 

CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh

 

d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl

 

cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyNTE5NDM0MVoXDTA3MDUyMTE0MjUxM1ow

 

fzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u

 

dG8xMTAvBgNVBAoTKExpYmVydHkgUmVnaXN0cnkgTWFuYWdlbWVudCBTZXJ2aWNl

 

cyBDby4xGTAXBgNVBAMTEG90ZTEuYWZpbGlhcy5uZXQwgZ8wDQYJKoZIhvcNAQEB

 

BQADgY0AMIGJAoGBAOd9LniHxfzh40XAO/fMzXtxRYU8jHZNskdhC4KHBDyRYRKR

 

zj0s2GBjU8IvYF2MfP61QLoJyqInypfExZlls8xaV3/zaTCC5RyAfJiG7bofDw9F

 

WSoQnzzRKrEI28u7kzrV+5ZzkCZ73bKJpdJR1NZ0hBJ7ggF7YUCBVw43n1N/AgMB

 

AAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEAGA1UdHwQ5

 

MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQcmVtaXVtU2Vy

 

dmVyQ0EuY3JsMDIGCCs

 

 

 

The complete cert is actually:

 

 

-----BEGIN CERTIFICATE-----

 

MIIDejCCAuOgAwIBAgIQEpoaK4m/0QEJmx4yjvnLXDANBgkqhkiG9w0BAQQFADCB

 

zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ

 

Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE

 

CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh

 

d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl

 

cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyNTE5NDM0MVoXDTA3MDUyMTE0MjUxM1ow

 

fzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9u

 

dG8xMTAvBgNVBAoTKExpYmVydHkgUmVnaXN0cnkgTWFuYWdlbWVudCBTZXJ2aWNl

 

cyBDby4xGTAXBgNVBAMTEG90ZTEuYWZpbGlhcy5uZXQwgZ8wDQYJKoZIhvcNAQEB

 

BQADgY0AMIGJAoGBAOd9LniHxfzh40XAO/fMzXtxRYU8jHZNskdhC4KHBDyRYRKR

 

zj0s2GBjU8IvYF2MfP61QLoJyqInypfExZlls8xaV3/zaTCC5RyAfJiG7bofDw9F

 

WSoQnzzRKrEI28u7kzrV+5ZzkCZ73bKJpdJR1NZ0hBJ7ggF7YUCBVw43n1N/AgMB

 

AAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEAGA1UdHwQ5

 

MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQcmVtaXVtU2Vy

 

dmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j

 

c3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALJn

 

EerRVntwS/Eo+q69qY+OwHY74FnnNViAX6503XgxlxUcBm1VwbPyop6lJXYveNxL

 

BKzUAiDODQbxbWYD3d+s2xo2M0Np6saeSa+wj4/ZlP8qpxREd8z6c7tK5Sy4B3ee

 

8QAalvUMjMCf6lg41tzpKkAMFaOr9n4KYC7R2RFF

 

-----END CERTIFICATE-----

 

 

 

Any ideas?
application delivery
dev
devops
iRules

3 Replies

  • George_San_Pedr's avatar
    George_San_Pedr
    Icon for Altostratus rankAltostratus
    Sep 02, 2006
    Hi,

     

     

    I already tried to increase the value of log_msg_size in the /etc/syslog-ng/syslog-ng.conf file, restarted the syslog process and still no luck. Perhaps the 1024 limit is harcoded? if so how can I solve the issue?
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Sep 05, 2006
    Yes, it is hardcoded to 1024 in the TMM.

    I'm not sure what you need this for, but another idea is this:

    Create a global Tcl array to contain your log entries and then basically append them to the array instead of logging them with log.

    Then, create a separate internal vip with a special rule (I called it retrieve_client_certs). This rule will output the contents of the Tcl array and clear it. You could then use curl, wget, or a similar utility to poll the list. The only disadvantage would be if the system goes down, you'd potentially lose whatever was currently in the array. However, you also have this problem to some degree with using the log facility since it is not reliable.

    Here's a sample (in bigip.conf form):
    rule save_client_certs {
   when CLIENTSSL_CLIENTCERT {
      set ::client_certs($::cert_count) "[clock format [clock sec] -format {%d-%b-%Y %H:%M:%S}] Client: [IP::remote_addr] Certificate: [X509::whole [SSL::cert 0]]"
      incr ::cert_count
   }
}
rule retrieve_client_certs {
   when RULE_INIT {
      array set client_certs {}
      set cert_count 0
      set last_time [clock sec]
   }
   when HTTP_REQUEST {
      set body "Client certs since: [clock format $::last_time -format {$d-%b-%Y %H:%M:%S}]\r\n
\r\n"
      foreach {index cert} [array get ::client_certs] {
         append body "$cert\r\n"
      }
      append body ""
      HTTP::respond 200 content "Recent Client Certificates$body"
      array unset ::client_certs
      set ::cert_count 0
      set ::last_time [clock sec]
   }
}