cancel
Showing results for 
Search instead for 
Did you mean: 

Is SSL::cert populated when using APM "On-Demand Cert Auth"?

John_Deckers
Nimbostratus
Nimbostratus

Hi!

 

I have configured client cert authentication using APM and its On-Demand Cert Auth action. I would like to retrieve the client certificate in an iRule event (HTTP_REQUEST) using SSL::cert command.

 

In the end, I am going to hash the certificate to produce the thumbprint. As I need to the binary form of the certificate, I will not use APM session variable for this.

 

if { [SSL::cert count] > 0 } { binary scan [sha1 [SSL::cert 0]] H* cert_thumbprint }

Unfortunately, SSL::cert count remains 0 as if SSL::cert was not populated after the On-Demand action!? This issue does not happen when client cert authentication is performed right from a client ssl profile without APM.

 

Do I have to look to another event in the iRule to get an SSL::cert object populated? Something else?

 

Regards,

 

John.

 

4 REPLIES 4

Jared_Shields
Nimbostratus
Nimbostratus

Not an answer, but throwing it out there that I'm running into the same issue. I cannot seem to find a way to delay the certificate request, while still being able to read the certificate information in an irule.

Jared_Shields
Nimbostratus
Nimbostratus

For anyone else that comes along this thread, I was unable to access the certificate through `SSL::cert` when the SSL profile was set to ignore the client certificate... We wanted to delay the cert request so we used the On-Demand action in an APM policy.

 

In our case, I was able to successfully retrieve the certificate from the APM variables, such as the following:

set cert_pem [ACCESS::session data get "session.ssl.cert.whole"]

To get the thumbprint, I had to convert the PEM to DER, then B64 encode/decode, and then I was able to use the code from the OP above.

Xavier_Baugniet
Altocumulus
Altocumulus

Hi There,

 

I'm working on something similar and can't get a good solution either.

 

 I tried "session.ssl.cert.whole" too, but I don't get the same SHA-1 hash when doing it via [SSL::cert 0].

 

When logging the APM variable, via APM or via iRule, the whole certificate is not there, almost 50% is missing, so I'm wondering if there a limitation in variable length which can be handle.

Jared_Shields
Nimbostratus
Nimbostratus

Hey !

 

I had the same issue with the thumbprint not matching... I was able to get it to work, but im not proud about the method though (and I havent looked into _why_ this works). I planned to come back to this to delve deeper to understand why this works, but in the meantime, here's what worked for me:

set cert_pem [ACCESS::session data get "session.ssl.cert.whole"] set cert [b64decode [b64encode [X509::pem2der $cert_pem]]] set cert_thumbprint_binary [sha1 $cert] binary scan $cert_thumbprint_binary H* cert_thumbprint_hex

I have absolutely NO idea why converting the DER certificate to B64 and back again causes the correct thumbprint/sha1 to be generated.... But nevertheless, after doing the encode/decode, I'm now getting the same hex thumbprint that windows and other libraries generate.

 

With respect to the variable getting chopped off, I'm pretty new to BIG-IP so I can't speculate much on that... Sorry!