Philip_A_266350
Jul 08, 2016Nimbostratus
SSL::cert count is always 0 when root cert is missing
When logging information about handshakes I would like to log the subject information from the incoming cert. However, these solutions below will not print any certificate information at all. We think it is because the clients root certificate is not in the trust store. But shouldn't it then be able to at least print the root certifications subject information?
when CLIENTSSL_CLIENTCERT {
if { [SSL::verify_result] != 0 }{
log local0. "[getfield [IP::client_addr] "%" 1] $connectport Bad cert - [X509::verify_cert_error_string [SSL::verify_result]] using client certificate: [X509::subject[SSL::cert 0]]"
SSL::session invalidate
reject
}
}
These are from two different iRules. Output is blank after "using client certificate:".
when CLIENTSSL_HANDSHAKE {
set debug 2
Check if client presented a cert after it was requested/required
if {[SSL::cert count] > 0}{
Client presented at least one cert. The actual client cert should always be first.
if {$debug > 1}{
Loop through each cert and log the cert subject, issuer and serial number
for {set i 0} {$i < [SSL::cert count]} {incr i}{
log local0. "[IP::client_addr]:[TCP::client_port]: cert $i; subject=[X509::subject [SSL::cert $i]] [X509::issuer [SSL::cert $i]]; cert_serial=[X509::serial_number [SSL::cert $i]];"
}
}
} else {
if {$debug > 1}{log local0. "[IP::client_addr]:[TCP::client_port]: No client cert found!"}
}
}
The output is "No client cert found!" for this one.
Is it possible that the SSL::cert list is not populated with the information because the certificate is unverified?