Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

[X509::whole [SSL::cert 0]] shows incomplete certficate

JDamian
Nimbostratus
Nimbostratus

‎23-Jun-2023 04:32 - edited ‎23-Jun-2023 04:33

Hi

In order to debug a problem regarding client certificates I added a line into a iRule for logging the certificate:

 

log local0.info "ClientSide [IP::client_addr] - Certificate: [X509::whole [SSL::cert 0]]"

but in /var/log/ltm the PEM stuff appears incomplete (no END CERTIFICATE line is logged):

ClientSide 10.179.37.156 - Certificate: -----BEGIN CERTIFICATE----- MIIIejCCBmKgAwIBAgIJQ2+FiEwmZX6sMA0GCSqGSIb3DQEBCwUAMIHTMQswCQYD VQQGEwJFUzEWMBQGA1UECwwNQUMgQ0FNRVJGSVJNQTEbMBkGA1UECgwSQUMgQ2Ft ZXJmaXJtYSBTLkEuMRIwEAYDVQQFEwlBODI3NDMyODcxSzBJBgNVBAcMQk1hZHJp ZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCBodHRwczovL3d3dy5jYW1lcmZpcm1h LmNvbS9hZGRyZXNzKTEuMCwGA1UEAwwlQ2FtZXJmaXJtYSBDb3Jwb3JhdGUgU2Vy IERFIEdBTElDSUExFjAUBgNVBAMMDXNhcmEueHVudGEuZXMxCzAJBgNVBAYTAkVT dmVyIElJIC0gMjAxNTAeFw0yMDA5MjUxMjExMjlaFw0yMTA5MjUxMjExMjlaMIGQ MR8wHQYDVQQHDBZTQU5USUFHTyBERSBDT01QT1NURUxBMRIwEAYDVQQFEwlTMTUx MTAwMUgxGTAXBgNVBAsMEFhVTlRBIERFIEdBTElDSUExGTAXBgNVBAoMEFhVTlRB MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC8KCAQEArA/XpcQVHWPy5tebVwS1 nyGIOGBkNof3PByhlfNoAl3k5ax3FRzIo8Y+zV+dmQh9V03knl7XSqhabzfi8PVc ytAauwe2sCskbt62zusOAnBKVkwIyirFHktqL6oc3TwDT7Z1iwUjgjjdX2SfxiSP 8B+0NYaCB

 

Is it due to a size limit for log messages or the certificate has been actually trimmed?

 

Best regards

 

Labels:
0 Kudos
4 REPLIES 4

Paulius
MVP
MVP

‎23-Jun-2023 05:10

@JDamian I know that the F5 typically doesn't look at HTTP responses after a certain line for HTTP health monitors so it could be a similar situation for this logging information. It's possible that we can assist in resolving your greater issue if you can expand on what issue you're having that resulted in you having to log the SSL certificate of a connection.

0 Kudos

JDamian
Nimbostratus
Nimbostratus
In response to Paulius

‎26-Jun-2023 03:42 - edited ‎26-Jun-2023 03:49

My greater issue is that after my LB team upgraded a F5 BIG IP device to 16.1.3.4 some apps requiring client certificate stopped working properly from certain clients -- an iRule did the job of requiring the certificate for last 5 years.

We have narrow down the problem to .NET client connections because the same client requests from SOAP-UI or Java have no problem.

0 Kudos

CA_Valli
MVP
MVP
In response to JDamian

‎27-Jun-2023 01:47

Was it a Major release upgrade? 
First thing that comes to my mind in this scenario is that allowed/disallowed cipher suites might have changed. By any chance, do the clients that stopped working share some "legacy" SSL config? 

v16 suites: https://my.f5.com/manage/s/article/K05134218

v15 suites: https://my.f5.com/manage/s/article/K86554600
v14 suites: https://my.f5.com/manage/s/article/K97098157

0 Kudos

whisperer
Cumulonimbus
Cumulonimbus

‎23-Jun-2023 11:16

If you are running BIG-IP 16.1.3 or higher, you can also extract useful info from the client cert within memory in iRules:

https://clouddocs.f5.com/api/irules/X509__subject.html

Then you can log things like common name 🙂

 

0 Kudos
Copyright © 2023 Khoros, LLC