Forum Discussion

mishpan_70054's avatar
mishpan_70054
Icon for Nimbostratus rankNimbostratus
Dec 03, 2012

logging Subject Server Certificate -in case Server side profile

Hi All

 

 

I have virtual configure with clientssl & serverssl profile enable. I like to know how I can log the subject details of the server certificate use by real server when lb communicates with pool member.

 

 

virtual nft_https_vs {

 

snatpool nft_https_snat_out

 

pool nft_https_pool

 

destination 10.80.10.10:https

 

ip protocol tcp

 

profiles {

 

nft_ClientSide_prof {

 

clientside

 

}

 

nft_ServerSide_profile_prof {

 

serverside

 

}

 

tcp-lan-optimized {

 

serverside

 

}

 

tcp-wan-optimized {

 

clientside

 

}

 

 

}

 

}

 

I can see the there is events “SERVERSSL_SERVERHELLO” but it is available from ver11.X on word but I am using v10.x.

 

Thanks

 

pankya

 

5 Replies

  • This should work;

    
    when SERVERSSL_HANDSHAKE {
     set subject_details [X509::subject [SSL::cert 0]]
     log local0. "$subject_details"
    }
    
  • You might want to check for the existence of the SSL certificate like so;

    
    when SERVERSSL_HANDSHAKE {
     if { [SSL::cert 0] eq "" } {
      No SSL certificate present
      return
     } 
     else {
      set subject_details [X509::subject [SSL::cert 0]]
      log local0. "$subject_details"
     }
    }
    
  • hi Guys

     

     

    Thnx for response i tried but i am getting below error:

     

     

    Dec 3 10:16:19 local/tmm5 err tmm5[6634]: 01220001:3: TCL error: cert_check_client_servere - while executing "X509::subject [SSL::cert 0]"

     

     

    ===below is my irule========

     

    when SERVERSSL_HANDSHAKE {

     

    set Ssubject_dn [X509::subject [SSL::cert 0]]

     

    log "Server Certificate Received: $Ssubject_dn"

     

    set Sv_result [X509::verify_cert_error_string [SSL::verify_result]]

     

    log "Server Certificate verification result: $Sv_result"

     

     

    }

     

  • SERVERSSL_HANDSHAKE:- Triggered when a server-side SSL handshake is completed.

     

    But here we need state, which just before completion of ssl handshake.
  • SSL::cert is not valid on server-side.

     

     

    SSL::cert

     

    Returns the X509 SSL certificate at the specified index in the peer certificate chain, where index is a value greater than or equal to zero. A value of zero denotes the first certificate in the chain, a value of one denotes the next, and so on. This command is currently applicable only under a client-side context and returns an error within a server-side context.

    SSL::cert

     

    https://devcentral.f5.com/wiki/iRules.SSL__cert.ashx

     

     

    so, i understand you have to collect tcp payload and parse certificate subnet by yourself. it could be something similar to what Colin and Joel have done in article below.

     

     

    Multiple Certs, One VIP: TLS Server Name Indication via iRules by Colin

     

    https://devcentral.f5.com/tutorials/tech-tips/multiple-certs-one-vip-tls-server-name-indication-via-irules