Forum Discussion

IRONMAN's avatar
IRONMAN
Icon for Cirrostratus rankCirrostratus
Aug 30, 2019

HTTP header insert with CN and for SHA1 thumbprint of the SSL certificate ?

Hi Any one help to edit the below irule to match my requirement, HTTP header insert with CN(Certificate name) and for SHA1 thumbprint of the SSL certificate to backend servers.

 

LTM VIP is HTTPS with only client SSL profile

Members are connected to LB with port 3000, No Server Side SSL profile.

 

 

 

when CLIENTSSL_HANDSHAKE 

 { 

  set cur [SSL::sessionid] 

  set ask [session lookup ssl $cur]  

  if { $ask eq "" } {  

   session add ssl [SSL::sessionid] [SSL::cert 0] 

  } 

 } 

  

 when HTTP_REQUEST 

 { 

  set id [SSL::sessionid] 

  set the_cert [session lookup ssl $id] 

  if { $the_cert != ""} 

  { 

   HTTP::header insert X-Client-Cert [X509::whole $the_cert] 

  } 

 }

 

 

7 Replies

  • Take it you want the client certificate data inserted as HTTP headers?

    The following does this generally, you will need to pick the parts you want from the iRule X509 options:

    when CLIENTSSL_CLIENTCERT priority 100 {
        if {[SSL::cert count] > 0} {
            set clientCert [X509::whole [SSL::cert 0]]
            set clientCertSubject [X509::subject [SSL::cert 0]]
     
            foreach field [ split $clientCertSubject ","] {
                if {$field starts_with "CN="} {
                    set clientCommonName [getfield $field "=" 2]
                }
            }
        }
    }
     
    when HTTP_REQUEST {
        if {(info exists clientCert) && ($clientCert ne "") } {
            HTTP::header insert X-Client-Cert $clientCert
        }
     
        if {(info exists clientCommonName) && ($clientCommonName ne "") } {
            HTTP::header insert X-Client-CN $clientCommonName
        }
    }
  • Thanks, I modified it please check once

     

    when CLIENTSSL_CLIENTCERT priority 100 {

      if {[SSL::cert count] > 0} {

        set clientCert [X509::whole [SSL::cert 0]]

        set clientCertSubject [X509::subject [SSL::cert 0]]

        set cert_hash [X509::hash [SSL::cert 0]]

     

        foreach field [ split $clientCertSubject ","] {

          if {$field starts_with "CN="} {

            set clientCommonName [getfield $field "=" 2]

          }

        }

      }

    }

     

    when HTTP_REQUEST {

      if {(info exists clientCert) && ($clientCert ne "") } {

        HTTP::header insert X-Client-Cert $clientCert

      }

     

      if {(info exists clientCommonName) && ($clientCommonName ne "") } {

        HTTP::header insert X-Client-CN $clientCommonName

      }

     

      {

        HTTP::header insert X-Client-CN $clientCommonName

      }

    }

  • when CLIENTSSL_CLIENTCERT priority 100 {
        if {[SSL::cert count] > 0} {
            set clientCert [X509::whole [SSL::cert 0]]
            set clientCertSubject [X509::subject [SSL::cert 0]]
            set clientCertHash [X509::hash [SSL::cert 0]]
            foreach field [ split $clientCertSubject ","] {
                if {$field starts_with "CN="} {
                    set clientCommonName [getfield $field "=" 2]
                }
            }
        }
    }
     
    when HTTP_REQUEST {
        if {(info exists clientCert) && ($clientCert ne "")} {
            HTTP::header insert X-Client-Cert $clientCert
        }
     
        if {(info exists clientCommonName) && ($clientCommonName ne "")} {
            HTTP::header insert X-Client-CN $clientCommonName
        }
     
        if {(info exists clientCertHash) && ($clientCertHash ne "")} {
            HTTP::header insert X-Client-hash $clientCertHash
        }
    }
  • Thanks for your time, I will test it and let you know result

  • I am bothering you,

     

     

    I am getting in big error, when adding the rule to f5

     

     

    01070151:3: Rule [/Common/rulename] error: /Common/rulename:15: error: [parse error: PARSE syntax 466 {syntax error in expression "(info exists clientCert) && ($clientCert ne "")": looking for close parenthesis}][{(info exists clientCert) && ($clientCert ne "")}]

    /Common/rulename:19: error: [parse error: PARSE syntax 587 {syntax error in expression "(info exists clientCommonName) && ($clientCommonName ne "")": looking for close parenthesis}][{(info exists clientCommonName) && ($clientCommonName ne "")}]

    /Common/Qvantel-BSSAP-SIT:23: error: [parse error: PARSE syntax 724 {syntax error in expression "(info exists clientCertHash) && ($clientCertHash ne "")": looking for close parenthesis}][{(info exists clientCertHash) && ($clientCertHash ne "")}]

     

     

  • Sorry didn’t have time to test and missed some [ ] out

    when CLIENTSSL_CLIENTCERT priority 100 {
        if {[SSL::cert count] > 0} {
            set clientCert [X509::whole [SSL::cert 0]]
            set clientCertSubject [X509::subject [SSL::cert 0]]
            set clientCertHash [X509::hash [SSL::cert 0]]
            foreach field [ split $clientCertSubject ","] {
                if {$field starts_with "CN="} {
                    set clientCommonName [getfield $field "=" 2]
                }
            }
        }
    }
     
    when HTTP_REQUEST {
        if {([info exists clientCert]) && ($clientCert ne "")} {
            HTTP::header insert X-Client-Cert $clientCert
        }
     
        if {([info exists clientCommonName]) && ($clientCommonName ne "")} {
            HTTP::header insert X-Client-CN $clientCommonName
        }
     
        if {([info exists clientCertHash]) && ($clientCertHash ne "")} {
            HTTP::header insert X-Client-hash $clientCertHash
        }
    }
    • IRONMAN's avatar
      IRONMAN
      Icon for Cirrostratus rankCirrostratus

      I got my application team saying, they expecting this Header names,

       

      • X-SSL-Client-CN
        • X-SSL-Client-SHA1

       

       

      Should i change as below?

      please verify once

       

      when HTTP_REQUEST {

        if {([info exists clientCert]) && ($clientCert ne "")} {

          HTTP::header insert X-Client-Cert $clientCert

        }

       

        if {([info exists clientCommonName]) && ($clientCommonName ne "")} {

          HTTP::header insert X-SSL-Client-CN $clientCommonName

        }

       

        if {([info exists clientCertHash]) && ($clientCertHash ne "")} {

          HTTP::header insert X-SSL-Client-SHA1 $clientCertHash

        }

      }