X509::hash¶
Description¶
Returns the MD5 hash (fingerprint) of the specified X509 certificate.
Syntax¶
X509::hash <X509 certificate>
X509::hash <X509 certificate>¶
- Returns the MD5 hash (fingerprint) of the specified X509 certificate.
Examples¶
# v10.1+ example:
when HTTP_REQUEST {
# Save the first cert the client presents as $cert
if { [set cert [SSL::cert 0]] ne "" } {
# Get the md5 hash of the client cert
set cert_hash [X509::hash [SSL::cert 0]]
# Check if the hash matches a specific string
if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {
# Remove any pre-existing headers
HTTP::header remove cert_hash
# Insert a new cert header
HTTP::header insert cert_hash $cert_hash
# Exit this event to avoid the redirect below for invalid certs
return
}
}
# Redirect all other requests to another URL
HTTP::redirect "https://someothersite/"
}
# Pre-v10.1 example which checks if the client cert's md5 hash matches a specific string
# This should be updated to manually store the hash in the session table using 'session add [SSL::session_id] [X509::hash $client_cert]'
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
log local0. "Cert hash - [X509::hash $client_cert]"
set cert_hash [X509::hash $client_cert]
}
when HTTP_REQUEST {
if { [info exist cert_hash] } {
if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {
HTTP::redirect "https://somesite/"
} else {
HTTP::redirect "https://someothersite/"
}
}
}