Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution? --------------- The F5 needs to generate an SHA1 thumbprint of the incoming SSL certificate and add the output hexadecimal encoded string as a new HTTP header to be passed along to the application. The generated thumbprint is a standard SHA1 thumbprint for identification purposes. Example HTTP Header: ClientCert-Thumbprint: a448327eff9283928b9d9993049f0386 --------------- Below is the existing iRule that is in place currently: when CLIENTSSL_CLIENTCERT { set cert_subject [X509::subject [SSL::cert 0]] if { $cert_subject == "" } { log "[IP::client_addr]:[TCP::client_port]: No client cert found!"} } when HTTP_REQUEST { if { [info exist cert_subject] } { HTTP::header insert SSLClientCertSubject $cert_subject return } } Thanks!

You should be able to use the sha1 command to generate the message digest of the $cert_subject and then insert that as a header.

The sha1 command produces a binary value. To convert it to hexadecimal, use the binary scan command: binary scan [sha1 [SSL::cert 0]] H* output log local0. $output

Here is what I did a while ago. I leave the hexdecimal handling to the backend web app. set ssl_cert [SSL::cert 0] ... set hash [b64encode [sha1 $ssl_cert]] ... HTTP::header insert "thumbprintheader" $hash

e.g. [root@ve10:Active] config b version|grep -iA 1 version BIG-IP Version 10.2.4 655.0 Hotfix HF4 Edition [root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:443 ip protocol 6 rules myrule profiles { http {} myclientssl { clientside } tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b profile myclientssl list profile clientssl myclientssl { defaults from clientssl ca file "ca.crt" client cert ca "ca.crt" peer cert mode require } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]] binary scan [sha1 [SSL::cert 0]] H* cert_hex HTTP::header insert ClientCert-Thumbprint $cert_hex } } } client1 certificate [root@ve10:Active] config ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.19.251(35670) <-> 172.28.19.79(443) 1 1 1354080555.1567 (0.0241) C>S SSLv2 compatible client hello 1 2 1354080555.1568 (0.0000) S>CV3.1(81) Handshake 1 3 1354080555.1568 (0.0000) S>CV3.1(953) Handshake 1 4 1354080555.1568 (0.0000) S>CV3.1(114) Handshake 1 5 1354080555.1568 (0.0000) S>CV3.1(4) Handshake 1 6 1354080555.2336 (0.0768) C>SV3.1(1489) Handshake 1 7 1354080555.2336 (0.0000) C>SV3.1(262) Handshake 1 8 1354080555.2336 (0.0000) C>SV3.1(518) Handshake 1 9 1354080555.2336 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 10 1354080555.2336 (0.0000) C>SV3.1(36) Handshake 1 11 1354080555.2556 (0.0219) S>CV3.1(1) ChangeCipherSpec 1 12 1354080555.2556 (0.0000) S>CV3.1(36) Handshake 1 13 1354080555.2567 (0.0011) C>SV3.1(175) application_data --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(35670) <-> 200.200.200.101(80) 1354080555.2599 (0.0013) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* SSLClientCertSubject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US ClientCert-Thumbprint: 9240c3ccc820c3506c271517c6d5f35d2337c57e --------------------------------------------------------------- client2 certificate [root@ve10:Active] config ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.19.251(35671) <-> 172.28.19.79(443) 1 1 1354080624.7908 (0.0210) C>S SSLv2 compatible client hello 1 2 1354080624.7909 (0.0000) S>CV3.1(81) Handshake 1 3 1354080624.7909 (0.0000) S>CV3.1(953) Handshake 1 4 1354080624.7909 (0.0000) S>CV3.1(114) Handshake 1 5 1354080624.7909 (0.0000) S>CV3.1(4) Handshake 1 6 1354080624.9088 (0.1179) C>SV3.1(1489) Handshake 1 7 1354080624.9088 (0.0000) C>SV3.1(262) Handshake 1 8 1354080624.9088 (0.0000) C>SV3.1(518) Handshake 1 9 1354080624.9088 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 10 1354080624.9088 (0.0000) C>SV3.1(36) Handshake 1 11 1354080624.9294 (0.0206) S>CV3.1(1) ChangeCipherSpec 1 12 1354080624.9294 (0.0000) S>CV3.1(36) Handshake 1 13 1354080624.9308 (0.0013) C>SV3.1(175) application_data --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.10(35671) <-> 200.200.200.101(80) 1354080624.9328 (0.0017) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.19.79 Accept: */* SSLClientCertSubject: CN=client2.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US ClientCert-Thumbprint: 96d093f76eb7634b377374253762b00aef036a7f ---------------------------------------------------------------

You guys are the best! Nitass, you always knock it out of the park. I'll get this implemented and see how it goes. Thanks again.

Generate SHA1 thumbprint of incoming SSL cert

20 Replies

RiverFish
Altostratus
Nov 29, 2012
So this:

binary scan [sha1 [SSL::cert 0]] H* cert_hex

HTTP::header insert ClientCert-Thumbprint $cert_hex

is the same as this:

when CLIENTSSL_CLIENTCERT {

set client_cert [SSL::cert 0]

log local0 "Cert Thumbprint - [X509::subject $client_Hash]"

set cert_hash [X509::hash $client_cert]

}

when HTTP_REQUEST {

if { [info exist cert_hash] } {

HTTP::header insert ClientCertThumbprint $cert_hash

return

}

}

?
hooleylist
Cirrostratus
Nov 29, 2012
X509::hash will return the md5 hash of the binary cert. sha1 will return the sha1 hash.

Also, a client can resume an existing SSL session and not present the client cert in a new handshake for every TCP connection or HTTP request. TMM automatically stores the cert for the life of the SSL session and makes it accessible using [SSL::cert 0]. So it's better to get the value on each HTTP request instead of storing it in a local variable which is specific to that one TCP connection.

Long story short...the last example I posted should work for your scenario.

Aaron
RiverFish
Altostratus
Nov 29, 2012
oops. disregard this post. delete if possible.
RiverFish
Altostratus
Nov 29, 2012
Hoolio, I ran your iRule accross the dev guys one last time to confirm they were good with it. They came back with the following question:

So long as “binary scan [sha1 [SSL::cert 0]] H* cert_hex” gives us the thumbprint out of the certificate and not a SHA1 hash generated across the bytes of the presented certificate…then yes.

Could you please confirm?

hooleylist

Cirrostratus

Nov 29, 2012

Here's a quick test to show the results:


when CLIENTSSL_CLIENTCERT {

log local0. "Got [SSL::cert count] certs"

if {[SSL::cert 0] eq ""}{
log local0. "cert 0 empty"
} else {
binary scan [SSL::cert 0] H* whole_cert_hex
log local0. "\$whole_cert_hex: $whole_cert_hex"

binary scan [sha1 [SSL::cert 0]] H* fingerprint
log local0. "sha1: $fingerprint"

binary scan [md5 [SSL::cert 0]] H* fingerprint
log local0. "md5 manual: $fingerprint"

log local0. "md5 from X509::hash: [X509::hash [SSL::cert 0]]"
}
}

And the log results:

: sha1: 591fb5e98f012218dbe946780197e061206ab35f
: md5 manual: 39b06fdf22022ff0c25672cbee2263f1
: md5 from X509::hash: 39:b0:6f:df:22:02:2f:f0:c2:56:72:cb:ee:22:63:f1

And the openssl results for the same client cert:

 openssl x509 -in client1.example.com.crt -sha1 -noout -fingerprint
SHA1 Fingerprint=59:1F:B5:E9:8F:01:22:18:DB:E9:46:78:01:97:E0:61:20:6A:B3:5F

 openssl x509 -in client1.example.com.crt -md5 -noout -fingerprint
MD5 Fingerprint=39:B0:6F:DF:22:02:2F:F0:C2:56:72:CB:EE:22:63:F1

Aaron

hooleylist
Cirrostratus
Nov 29, 2012
There's also an enhancement request to update X509::hash to allow you to specify the hash type instead of it being hardcoded to md5:

Bug 380676 - RFE: Enhance X509::hash to use a specified hash, and default to hash used in cert

You could open a case with F5 Support to request this feature be built.

Aaron
RiverFish
Altostratus
Dec 18, 2012
Just wanted to post an update. Hoolio's iRule made it through test, QA, and is now in production. It takes the SHA1 thumbprint of the incoming SSL cert, converts it to hex, and inserts it into the header. It also takes the cert subject of the incoming SSL cert and inserts it into the header. Lastly, it scrubs any pre-existing headers before inserting the new ones as an extra measure of security. Thanks again Hoolio, and thanks to everyone else who pitched in. Here is the iRule again in final form:

when HTTP_REQUEST {

if { [SSL::cert count] > 0 } {

HTTP::header remove SSLClientCertSubject

HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]

binary scan [sha1 [SSL::cert 0]] H* cert_hex

HTTP::header remove ClientCertThumbprint

HTTP::header insert ClientCertThumbprint $cert_hex

}

}
hooleylist
Cirrostratus
Dec 18, 2012
That's good to hear. Thanks for posting the final iRule.

Aaron

hooleylist

Cirrostratus

Dec 18, 2012

Actually, you might want to remove the cert headers regardless of whether the client presented a cert for the SSL session to prevent a client from injecting their own headers.


when HTTP_REQUEST {
HTTP::header remove SSLClientCertSubject
HTTP::header remove ClientCertThumbprint
if { [SSL::cert count] > 0 } {
HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]
binary scan [sha1 [SSL::cert 0]] H* cert_hex
HTTP::header insert ClientCertThumbprint $cert_hex
}
}

Aaron

RiverFish
Altostratus
Jan 12, 2013
Good catch, will do. Thank you.

Forum Discussion

Generate SHA1 thumbprint of incoming SSL cert

20 Replies

Recent Discussions

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Portal Access to HTTPS resources slow

How to Implement 2 Way SSL in F5 LTM

Azure DP-100 Exam Questions

Related Content

Thumbprint of the client ssl certificate

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Securing Generative AI: Defending the Future of Innovation and Creativity

Generate API SDK for F5 Distributed Cloud

Protect multi-cloud and Edge Generative AI applications with F5 Distributed Cloud