Forum Discussion
George_San_Pedr
Altostratus
AltostratusX509::whole returning incomplete cert
Hi,
I have the following I rule so I can catch the certs from my SSL clients:
when CLIENTSSL_CLIENTCERT {
log local0. "Certificate: [X509::whole [SSL::cert 0]]"
}
...
Yes, it is hardcoded to 1024 in the TMM.
I'm not sure what you need this for, but another idea is this:
Create a global Tcl array to contain your log entries and then basically append them to the array instead of logging them with log.
Then, create a separate internal vip with a special rule (I called it retrieve_client_certs). This rule will output the contents of the Tcl array and clear it. You could then use curl, wget, or a similar utility to poll the list. The only disadvantage would be if the system goes down, you'd potentially lose whatever was currently in the array. However, you also have this problem to some degree with using the log facility since it is not reliable.
Here's a sample (in bigip.conf form):
rule save_client_certs {
when CLIENTSSL_CLIENTCERT {
set ::client_certs($::cert_count) "[clock format [clock sec] -format {%d-%b-%Y %H:%M:%S}] Client: [IP::remote_addr] Certificate: [X509::whole [SSL::cert 0]]"
incr ::cert_count
}
}
rule retrieve_client_certs {
when RULE_INIT {
array set client_certs {}
set cert_count 0
set last_time [clock sec]
}
when HTTP_REQUEST {
set body "Client certs since: [clock format $::last_time -format {$d-%b-%Y %H:%M:%S}]\r\n
\r\n"
foreach {index cert} [array get ::client_certs] {
append body "$cert\r\n"
}
append body ""
HTTP::respond 200 content "Recent Client Certificates$body"
array unset ::client_certs
set ::cert_count 0
set ::last_time [clock sec]
}
}
