Remove whiteSpace from the Certificate

Hi ahmad,

 

 

Are you using LWS (Linear White Space Click here) on the HTTP::header command? RFC2616 states each carriage return line feed should be replaced by the server with a single space:

 

 

 

ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt

 

 

A CRLF is allowed in the definition of TEXT only as part of a header

 

field continuation. It is expected that the folding LWS will be

 

replaced with a single SP before interpretation of the TEXT value.

 

 

 

 

Can you include the part of the iRule where you're inserting the cert? Also, do the log lines show the spaces or just the output the server receives?

 

 

Aaron

 

Thanx holio

 

 

this is the insertion part, can i use iRule to look for CRLF and remove it instead of using "lws" since i need to pass the cert to server without any spaces

 

 

 

when HTTP_REQUEST {

 

if { [SSL::cert count] > 0 } {

 

set thecert [findstr [X509::whole [SSL::cert 0]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]

 

HTTP::header insert WL-Proxy-SSL "true"

 

HTTP::header insert WL-Proxy-Client-Cert $thecert

 

 

}

 

}

 

 

Both log lines and service receives are showing the spaces

Ahmad,

Are you sure that you need to strip the cert header and footer? I just came across a similar situation and the answer was simply to b64encode the whole cert:

 
 set cert [b64encode [X509::whole [SSL::cert 0]]] 
 

Kevin

yes, i am very sure that this is what we need, even i tested that by bypass the cert as the following and it worked out and processed correctly by our weblogic back-end servers : Note that:

 

HTTP::header insert WL-Proxy-Client-Cert "MIIDKjCCApOgAwIBAgIDEAAFMA0GCSqGSIb3DQEBBAUAMG0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIEwZSaXlhZGgxDzANBgNVBAcTBlJpeWFkaDEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UE[to the end of the certificate]"

Hi Ahmad,

 

 

Can you post anonymised log output from these portions of the iRule:

 

 

log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]]; [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]]; [X509::hash [SSL::cert $i]];"

 

set allcert "[X509::whole [SSL::cert $i]]"

 

log local0. "[IP::client_addr]:[TCP::client_port]"

 

log local0. $allcert

 

set thecert [findstr [X509::whole [SSL::cert $i]] "-----BEGIN CERTIFICATE-----" 28 "-----END CERTIFICATE-----"]

 

log local0. $thecert

 

set certnospace [string map -nocase {" " ""} $thecert]

 

log local0. "Test1 $certnospace"

 

regsub -all " " $thecert "" certnospace2

 

log local0. "Test2 $certnospace2"

 

 

Thanks,

 

Aaron

Hi;

 

this is the log content:

 

 

Rule CertInHeader : 86.51.147.XX:28334: cert 0; subject=CN=Riyadh2test,OU=Riyadh2test,O=Riyadh2test,L=Riyadh2test,ST=Riyadh2test,C=SA; CN=GOSI Testing CA,OU=Testing,O=Testing,L=Riyadh,ST=Riyadh,C=SA; cert_serial=08; 88:d5:ca:f8:2f:c5:6c:3c:2e:aa:21:XX:4e:2b:f0:3d;

 

 

Rule CertInHeader : 86.51.147.XX:28334

 

 

Rule CertInHeader : -----BEGIN CERTIFICATE----- MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAs

 

 

Rule CertInHeader : MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0d

 

 

Rule CertInHeader : Test1 MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVB

 

 

Rule CertInHeader : Test2 MIIDmTCCAwKgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBtMQswCQYDVQQGEwJTQTEP MA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNVBAoTB1Rlc3Rp bmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVBAMTD0dPU0kgVGVzdGluZyBDQTAe Fw0xMDAxMTkxMzIyNTVaFw0xMTAxMTkxMzIyNTVaMHsxCzAJBgNVBAYTAlNBMRQw EgYDVQQIEwtSaXlhZGgydGVzdDEUMBIGA1UEBxMLUml5YWRoMnRlc3QxFDASBgNV BAoTC1JpeWFkaDJ0ZXN0MRQwEgYDVQQLEwtSaXlhZGgydGVzdDEUMBIGA1UEAxML Uml5YWRoMnRlc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYEUyZj18Kd 1Ec4jhlKtJp+nPyXEuKmFnibdGpGdQNhwPbmzlRIs3VdTaYGlYS3SaTRemxr20qG SxQjH2S0BKLNFfXh2c/bugob2gwLuit/Ihec1KPh5UIqdAgH/dA7cKAZnjMH2Wpl EFBuI/oDPvEOcQXaJzgBnIRxWXrFiCUXAgMBAAGjggE5MIIBNTAJBgNVHRMEAjAA MBEGCWCGSAGG+EIBAQQEAwIFoDAsBglghkgBhvhCAQ0EHxYdaVNELVNTTCBHZW5l cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHOKGPHsVYqmr96x0dsTkCvKa2ZT MIGXBgNVHSMEgY8wgYyAFEXnisp1lDSb0ni+lH36HAiQ83HooXGkbzBtMQswCQYD VQQGEwJTQTEPMA0GA1UECBMGUml5YWRoMQ8wDQYDVQQHEwZSaXlhZGgxEDAOBgNV BAoTB1Rlc3RpbmcxEDAOBgNVBAsTB1Rlc3RpbmcxGDAWBgNVB

 

Sorry, I should have noticed this before. It's probably carriage return and/or line feeds--not spaces--in the cert string. Can you try using string map to remove the whitespace?

 

 

set certnospace [string map -nocase {\n ""} $thecert]

 

 

or:

 

 

set certnospace [string map -nocase {" " "" \n "" \r ""} $thecert]

 

 

Aaron

Aaron You Are a Genius, you are right , it worked

 

 

thanks a lot