Debug SSL communication

Question

I am trying to debug a mutual authentication issue. Is there any way i can get complete SSL client certificate used during ssl communication. 
I tried to use following irule but it does not work in case of wrong client certificate. 
Iule:
   ltm rule log_mutual_auth {
        when CLIENTSSL_CLIENTCERT {
            log local0.  "Issuer Info: [X509::issuer [SSL::cert 0]] , Certificate Info: [X509::subject [SSL::cert 0]]"
    }
}

Error in LTM logs:
Dec  ltm01 err tmm[16373]: 01220001:3: TCL error: /Common/log_mutual_auth  - Error using  (line 3)     invoked from within "X509::issuer [SSL::cert 0]"

keesvandenbos · Answer

Hi Emad,&nbsp;
When you run ssldump when the client connects, do you see the client presenting a client certificate?&nbsp;
Cheers,&nbsp;
Kees&nbsp;

emad · Answer

I think yes, Server Hello is completed and when client tries for keyexchage, LTM send RST. 
FYI!
New TCP connection 7: x.x.x.43(37045) &lt;-&gt; x.x.x.19(xxxx)
7 1  1481517481.9937 (0.1794)  C&gt;SV3.1(69)  Handshake
      ClientHello
        Version 3.1 
        random[32]=
          58 4e 29 a9 61 6b ab dc ef 7e bb f6 ac 58 6e 27 
          9d 27 66 4f c7 4a 19 5d b7 9b 02 a6 77 98 b0 55 
        cipher suites
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        Unknown value 0xff
        compression methods
                  NULL
7 2  1481517481.9938 (0.0000)  S&gt;CV3.1(49)  Handshake
      ServerHello
        Version 3.1 
        random[32]=
          35 65 e5 d0 78 8f 4c 61 f7 72 0b f9 51 47 8c b3 
          df 14 e2 b4 32 68 1d 67 3a d4 99 ed 23 9e bf 7d 
        session_id[0]=

cipherSuite         TLS_RSA_WITH_AES_128_CBC_SHA
        compressionMethod                   NULL
7 3  1481517481.9938 (0.0000)  S&gt;CV3.1(2402)  Handshake
      Certificate
7 4  1481517481.9938 (0.0000)  S&gt;CV3.1(221)  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_types                 unknown value
        certificate_authority
          30 68 31 15 30 13 06 0a 09 92 26 89 93 f2 2c 64 
          01 19 16 05 6c 6f 63 61 6c 31 16 30 14 06 0a 09 
          92 26 89 93 f2 2c 64 01 19 16 06 61 70 74 65 73 
          74 31 18 30 16 06 0a 09 92 26 89 93 f2 2c 64 01 
          19 16 08 63 6f 72 70 74 65 73 74 31 1d 30 1b 06 
          03 55 04 03 13 14 41 50 20 54 65 73 74 20 49 73 
          73 75 69 6e 67 20 43 41 20 31 
        certificate_authority
          30 63 31 15 30 13 06 0a 09 92 26 89 93 f2 2c 64 
          01 19 16 05 6c 6f 63 61 6c 31 16 30 14 06 0a 09 
          92 26 89 93 f2 2c 64 01 19 16 06 61 70 74 65 73 
          74 31 18 30 16 06 0a 09 92 26 89 93 f2 2c 64 01 
          19 16 08 63 6f 72 70 74 65 73 74 31 18 30 16 06 
          03 55 04 03 13 0f 41 50 20 54 65 73 74 20 52 6f 
          6f 74 20 43 41 
7 5  1481517481.9938 (0.0000)  S&gt;CV3.1(4)  Handshake
      ServerHelloDone
7 6  1481517482.1804 (0.1866)  C&gt;SV3.1(269)  Handshake
      Certificate
      ClientKeyExchange
        EncryptedPreMasterSecret[256]=
          67 7d be a5 7a 67 f7 ec e6 80 cc cb e0 5b cc 55 
          a1 9d 0a ee b1 7d c6 d3 35 03 34 20 a9 a3 f3 4a 
          e3 64 d7 94 aa 78 a9 18 b4 6e e7 d7 b3 28 8d ce 
          c3 f3 96 39 37 ac 84 5a 9e d6 9f 3d c1 a6 bc 96 
          31 90 51 04 3e 32 f3 a0 e0 c9 01 82 81 dd b3 5a 
          eb 28 60 71 20 b0 6b 4a 5c c7 10 51 6c aa 4a 80 
          75 af 6b f0 cd 33 ee f1 e1 b8 b0 dc 34 31 29 a0 
          95 c5 5c c8 1f c0 4a a5 a2 2d 5d 1f 36 2f 26 e6 
          c5 3f e1 8a df ed 18 37 b4 3e e5 ad 5c cd 6f 6a 
          8e e5 cb a8 47 7d 34 19 f6 05 0f f9 e3 34 3e 6e 
          c2 43 1f 2a b1 54 45 d9 c6 b7 92 81 42 69 5b ce 
          37 23 5c 1e 80 26 0f 4b 16 b7 0a c3 1a 70 48 db 
          fa 5a 56 c1 76 7f 96 85 6f 14 b5 e6 f3 a7 a6 ac 
          f0 d0 ba 07 78 32 ef 7f 6e ee ca d4 fe 40 8f c6 
          9b 32 9f f2 bc 2a 52 28 9d 64 8b 9b f1 75 28 13 
          b8 89 3e ad 87 1a 3c 2e 92 7f df a8 62 22 43 5e 
7 7  1481517482.1805 (0.0001)  S&gt;CV3.1(2)  Alert
    level           fatal
    value           handshake_failure
7    1481517482.1805 (0.0000)  S&gt;C  TCP RST

keesvandenbos · Answer

Could you change the log level of SSL to debug and check /var/log/ltm for errors? &nbsp;

emad · Answer

Yes already did that during debugging.
Dec  ltm01 debug tmm[16373]: 01260009:7: Connection error: ssl_shim_vfycerterr:3756: unsupported certificate purpose (46)
Dec  ltm01 info tmm[16373]: 01260013:6: SSL Handshake failed for TCP x.x.x.153%1:56352 -&gt; x.x.x.%1:443
Dec  ltm01 debug tmm1[16373]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /C=US/ST=AA/L=California/O=Test ORG/OU=software IT/CN=test.local)

keesvandenbos · Answer

When you open the crt file of your client certificate (test.local) using a text editor you will see a section like:
        X509v3 Extended Key Usage:
            TLS Web Server Authentication
        X509v3 Key Usage:
            Digital Signature, Key Encipherment

Forum Discussion

Debug SSL communication

9 Replies

Recent Discussions

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

F5Access | MacOS Sonoma

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

DevCentral Community Guidelines

DevCentral Community Ranking Explained

Community Learning Path: Multi-Cloud Networking

Community Highlights, Week 15 '23

Community Highlights, Week 48 '23