Greetings! I have a request from a developer (below). I was hoping one of you could please help me come up with a solution? --------------- The F5 needs to generate an SHA1 thumbprint of the incoming SSL certificate and add the output hexadecimal encoded string as a new HTTP header to be passed along to the application. The generated thumbprint is a standard SHA1 thumbprint for identification purposes. Example HTTP Header: ClientCert-Thumbprint: a448327eff9283928b9d9993049f0386 --------------- Below is the existing iRule that is in place currently: when CLIENTSSL_CLIENTCERT { set cert_subject [X509::subject [SSL::cert 0]] if { $cert_subject == "" } { log "[IP::client_addr]:[TCP::client_port]: No client cert found!"} } when HTTP_REQUEST { if { [info exist cert_subject] } { HTTP::header insert SSLClientCertSubject $cert_subject return } } Thanks!

You should be able to use the sha1 command to generate the message digest of the $cert_subject and then insert that as a header.

The sha1 command produces a binary value. To convert it to hexadecimal, use the binary scan command: binary scan [sha1 [SSL::cert 0]] H* output log local0. $output

Here is what I did a while ago. I leave the hexdecimal handling to the backend web app. set ssl_cert [SSL::cert 0] ... set hash [b64encode [sha1 $ssl_cert]] ... HTTP::header insert "thumbprintheader" $hash

You guys are the best! Nitass, you always knock it out of the park. I'll get this implemented and see how it goes. Thanks again.

Generate SHA1 thumbprint of incoming SSL cert

20 Replies

What_Lies_Bene1
Cirrostratus
Nov 27, 2012
You should be able to use the sha1 command to generate the message digest of the $cert_subject and then insert that as a header.
Kevin_Stewart
Employee
Nov 28, 2012
The sha1 command produces a binary value. To convert it to hexadecimal, use the binary scan command:

binary scan [sha1 [SSL::cert 0]] H* output log local0. $output
hui_37443
Nimbostratus
Nov 28, 2012
Here is what I did a while ago. I leave the hexdecimal handling to the backend web app.

set ssl_cert [SSL::cert 0]

...

set hash [b64encode [sha1 $ssl_cert]]

...

HTTP::header insert "thumbprintheader" $hash

nitass

Employee

Nov 28, 2012

e.g.

[root@ve10:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "ca.crt"
   client cert ca "ca.crt"
   peer cert mode require
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  if { [SSL::cert count] > 0 } {
    HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]]

    binary scan [sha1 [SSL::cert 0]] H* cert_hex
    HTTP::header insert ClientCert-Thumbprint $cert_hex
  }
}
}

 client1 certificate

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(35670) <-> 172.28.19.79(443)
1 1  1354080555.1567 (0.0241)  C>S SSLv2 compatible client hello
1 2  1354080555.1568 (0.0000)  S>CV3.1(81)  Handshake
1 3  1354080555.1568 (0.0000)  S>CV3.1(953)  Handshake
1 4  1354080555.1568 (0.0000)  S>CV3.1(114)  Handshake
1 5  1354080555.1568 (0.0000)  S>CV3.1(4)  Handshake
1 6  1354080555.2336 (0.0768)  C>SV3.1(1489)  Handshake
1 7  1354080555.2336 (0.0000)  C>SV3.1(262)  Handshake
1 8  1354080555.2336 (0.0000)  C>SV3.1(518)  Handshake
1 9  1354080555.2336 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1354080555.2336 (0.0000)  C>SV3.1(36)  Handshake
1 11 1354080555.2556 (0.0219)  S>CV3.1(1)  ChangeCipherSpec
1 12 1354080555.2556 (0.0000)  S>CV3.1(36)  Handshake
1 13 1354080555.2567 (0.0011)  C>SV3.1(175)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.79
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(35670) <-> 200.200.200.101(80)
1354080555.2599 (0.0013)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
SSLClientCertSubject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientCert-Thumbprint: 9240c3ccc820c3506c271517c6d5f35d2337c57e

---------------------------------------------------------------

 client2 certificate

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(35671) <-> 172.28.19.79(443)
1 1  1354080624.7908 (0.0210)  C>S SSLv2 compatible client hello
1 2  1354080624.7909 (0.0000)  S>CV3.1(81)  Handshake
1 3  1354080624.7909 (0.0000)  S>CV3.1(953)  Handshake
1 4  1354080624.7909 (0.0000)  S>CV3.1(114)  Handshake
1 5  1354080624.7909 (0.0000)  S>CV3.1(4)  Handshake
1 6  1354080624.9088 (0.1179)  C>SV3.1(1489)  Handshake
1 7  1354080624.9088 (0.0000)  C>SV3.1(262)  Handshake
1 8  1354080624.9088 (0.0000)  C>SV3.1(518)  Handshake
1 9  1354080624.9088 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1354080624.9088 (0.0000)  C>SV3.1(36)  Handshake
1 11 1354080624.9294 (0.0206)  S>CV3.1(1)  ChangeCipherSpec
1 12 1354080624.9294 (0.0000)  S>CV3.1(36)  Handshake
1 13 1354080624.9308 (0.0013)  C>SV3.1(175)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.79
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(35671) <-> 200.200.200.101(80)
1354080624.9328 (0.0017)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
SSLClientCertSubject: CN=client2.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientCert-Thumbprint: 96d093f76eb7634b377374253762b00aef036a7f

---------------------------------------------------------------

RiverFish
Altostratus
Nov 28, 2012
You guys are the best! Nitass, you always knock it out of the park. I'll get this implemented and see how it goes. Thanks again.
hooleylist
Cirrostratus
Nov 28, 2012
Nice work as always Nitass. You might want to also remove any pre-existing SSLClientCertSubject and ClientCert-Thumbprint headers before inserting the new values to prevent a malicious user from injecting their own headers.

Aaron
RiverFish
Altostratus
Nov 28, 2012
So the devs said that Nitass's iRule didn't look familiar to them. Familiar? I asked what they were expecting and they said there might be an existing iRule on one of the F5's. So I dug around and found the one below. They said that this is the one they needed. So what exactly is the difference?

when CLIENTSSL_CLIENTCERT {

set client_cert [SSL::cert 0]

log local0 "Cert Thumbprint - [X509::subject $client_Hash]"

set cert_hash [X509::hash $client_cert]

}

when HTTP_REQUEST {

if { [info exist cert_hash] } {

HTTP::header insert ClientCertThumbprint $cert_hash

return

}

}
RiverFish
Altostratus
Nov 28, 2012
Hoolio, the devs just asked about your concern about "preventing a malicious user from injecting their own headers". Could someone please post the complete iRule that will 1) insert the cert subject 2) insert the thumbprint and 3) remove pre-existing headers? I'm starting to understand iRules now but not sure the order in which to plug things in. Thanks!

Kevin_Stewart

Employee

Nov 28, 2012

Just change "HTTP::header insert" with "HTTP::header replace":


when HTTP_REQUEST {
    if { [SSL::cert count] > 0 } {
        HTTP::header replace SSLClientCertSubject [X509::subject [SSL::cert 0]]

        binary scan [sha1 [SSL::cert 0]] H* cert_hex
        HTTP::header replace ClientCertThumbprint $cert_hex
    }
}

hooleylist
Cirrostratus
Nov 29, 2012
HTTP::header replace will only affect the last header instance so an attacker could still inject a header by setting more than one. I put in a feature request to create an 'HTTP::header replace-all $name $value' command which would replace all existing $name headers with one new value.

For now, if you want to guarantee that no client set headers are included in the proxied request to the server, you can do this:

when HTTP_REQUEST { if { [SSL::cert count] > 0 } { HTTP::header remove SSLClientCertSubject HTTP::header insert SSLClientCertSubject [X509::subject [SSL::cert 0]] binary scan [sha1 [SSL::cert 0]] H* cert_hex HTTP::header remove ClientCertThumbprint HTTP::header insert ClientCertThumbprint $cert_hex } }

Aaron

Forum Discussion

Generate SHA1 thumbprint of incoming SSL cert

20 Replies

Recent Discussions

google-visualization-issues

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Thumbprint of the client ssl certificate

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Securing Generative AI: Defending the Future of Innovation and Creativity

Generate API SDK for F5 Distributed Cloud

Protect multi-cloud and Edge Generative AI applications with F5 Distributed Cloud