X509::hash

Description

Returns the MD5 hash (fingerprint) of the specified X509 certificate.

Syntax

X509::hash <X509 certificate>

X509::hash <X509 certificate>

  • Returns the MD5 hash (fingerprint) of the specified X509 certificate.

Examples

# v10.1+ example:
when HTTP_REQUEST {
  # Save the first cert the client presents as $cert
  if { [set cert [SSL::cert 0]] ne "" } {

    # Get the md5 hash of the client cert
    set cert_hash [X509::hash [SSL::cert 0]]

    # Check if the hash matches a specific string
    if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {

      # Remove any pre-existing headers
      HTTP::header remove cert_hash

      # Insert a new cert header
      HTTP::header insert cert_hash $cert_hash

      # Exit this event to avoid the redirect below for invalid certs
      return
    }
  }
  # Redirect all other requests to another URL
  HTTP::redirect "https://someothersite/"
}

# Pre-v10.1 example which checks if the client cert's md5 hash matches a specific string
# This should be updated to manually store the hash in the session table using 'session add [SSL::session_id] [X509::hash $client_cert]'
when CLIENTSSL_CLIENTCERT {
  set client_cert [SSL::cert 0]
  log local0. "Cert hash - [X509::hash $client_cert]"
  set cert_hash [X509::hash $client_cert]
}
when HTTP_REQUEST {
  if { [info exist cert_hash] } {
    if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {
      HTTP::redirect "https://somesite/"
    } else {
      HTTP::redirect "https://someothersite/"
    }
  }
}