Ichnafi
Mar 07, 2016Cirrostratus
Insert certificate in HTTP header fails, depending on what is logged
Hi,
I have stumbled upon a strange behavior. I insert a client certificate into the HTTP header. Nothing fancy. Then I wanted to add some DEBUG Messages to see what's happening. And here my confusion began:
Situation 1 (without DEBUG):
when HTTP_REQUEST {
Set DEBUG to 1 for Log-Messages
set DEBUG 0
check if there is a SSL certificate available
if { [SSL::cert count] > 0 } {
insert this cert in PEM format to the (X-CLIENT-CERT) HTTP Header
HTTP::header insert "X-CLIENT-CERT" "[X509::whole [SSL::cert 0]]"
if { $DEBUG } {
log local0. "Client inserted"
}
}
}
Result: Good! Certificate is inside the HTTP header. Wireshark shows:
Situation 2 (with DEBUG):
when HTTP_REQUEST {
Set DEBUG to 1 for Log-Messages
set DEBUG 1
check if there is a SSL certificate available
if { [SSL::cert count] > 0 } {
insert this cert in PEM format to the (X-CLIENT-CERT) HTTP Header
HTTP::header insert "X-CLIENT-CERT" "[X509::whole [SSL::cert 0]]"
if { $DEBUG } {
log local0. "Client inserted"
}
}
}
Result: Good! Certificate is inside the HTTP header. Wireshark shows:
Situation 3 (DEBUG and [HTTP::header names])
when HTTP_REQUEST {
Set DEBUG to 1 for Log-Messages
set DEBUG 1
check if there is a SSL certificate available
if { [SSL::cert count] > 0 } {
insert this cert in PEM format to the (X-CLIENT-CERT) HTTP Header
HTTP::header insert "X-CLIENT-CERT" "[X509::whole [SSL::cert 0]]"
if { $DEBUG } {
log local0. "Client inserted"
let's see what headers we have
log local0. [HTTP::header names]
}
}
}
Result: The certificat is not present any more. The HTTP::header log-message shows every line of the certificate as a single header.
Wireshark:
Syslog:
Rule /Common/clientcert : Host User-Agent Accept Accept-Language Accept-Encoding DNT Connection X-Forwarded-Proto X-CLIENT-CERT: -----BEGIN CERTIFICATE----- MIIFbzCCBFegAwIBAgIHApco8T/4CTANBgkqhkiG9w0BAQsFADBJMQswCQYDVQQG EwJERTEZMBcGA1UEChMQUEtJLTEtVmVyd2FsdHVuZzEMMAoGA1UECxMDRE9JMREw [...]
Am I getting something wrong here? Why is the Cert gone, when logging the HTTP headers?