cancel
Showing results for 
Search instead for 
Did you mean: 

Binary analysis of client certificate

SamCo
Cirrus
Cirrus

Hello all,

 

For some reason, I am currently looking for a way to inspect SSL Client certificate during authentication on a LTM without a SSL profile. The ultimate goal is to be able to filtrate/log some specific field of the certificate.

I start by looking at this article : https://community.f5.com/t5/technical-forum/standard-vip-tcp-collect-tls-analysys-w-o-offload/m-p/22...

and this other one to read the certificate with HEX (originally this irules was for client cert)

https://community.f5.com/t5/technical-forum/extracting-ssl-certificate-issuer-from-server-side-conne...

I made some change to these originally posted irule and now manage to catch the tls exchange of the certificate, and even reading some of the text of the certificate. I wish to be able to read it more precisely if possible, if you can help.

Below is my current iRule :

when CLIENT_ACCEPTED {
TCP::collect
}

when CLIENT_DATA {
#Get the TLS packet type and versions binary
#binary scan [TCP::payload] cH4Scc7S rtype sslver rlen type somth certlength
binary scan [TCP::payload] cH4Scc7S4c8cc rtype sslver rlen type somth certlength certpad1 certpad2 certversion
if { ( ${rtype} == 22 ) and ( ${type} == 11 ) } {
#This is a TLS ClientHello message (22 = TLS handshake, 1 = ClientHello)
log local0.info "Received a TLS ClientHello message rtype=${rtype}, type=${type} ${sslver} ${rlen} ${type} ${somth} ${certlength} ${certversion}"
binary scan [TCP::payload] H* hex
regexp {1603[0-9]{2}[0-9a-z]{4}0b.*} $hex dump
log local0.info [binary format H* $dump]
}
TCP::release
TCP::collect
}

 

Cheers,

Sam

2 REPLIES 2

CA_Valli
Cumulonimbus
Cumulonimbus

Hello, I've made something similar last year to extract a specific SSL extension (Type 0, SNI) and log it in ASCII format. It uses SSL:: iRule commands, and a procedure to convert HEX to ASCII.

I attached code to this message. You might want to tune it. 

Hi - Sorry, iRule is not complete, use _v2 instead. I got confused between my files.