ltm rule command X509 hash

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



X509::hash
       Returns the MD5 hash (fingerprint) of an X509 certificate.

SYNOPSIS
       X509::hash CERTIFICATE

DESCRIPTION
       Returns the MD5 hash (fingerprint) of the specified X509 certificate.

       Syntax

       X509::hash 

	    * Returns the MD5 hash (fingerprint) of the specified X509
	      certificate.

RETURN VALUE
       Returns the MD5 hash (fingerprint) of an X509 certificate.

VALID DURING
       ANY_EVENT

EXAMPLES
	# v10.1+ example:
	when HTTP_REQUEST {
	  # Save the first cert the client presents as $cert
	  if { [set cert [SSL::cert 0]] ne "" } {

	    # Get the md5 hash of the client cert
	    set cert_hash [X509::hash [SSL::cert 0]]

	    # Check if the hash matches a specific string
	    if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {

	      # Remove any pre-existing headers
	      HTTP::header remove cert_hash

	      # Insert a new cert header
	      HTTP::header insert cert_hash $cert_hash

	      # Exit this event to avoid the redirect below for invalid certs
	      return
	    }
	  }
	  # Redirect all other requests to another URL
	  HTTP::redirect "https://someothersite/"
	}


	# Pre-v10.1 example which checks if the client cert's md5 hash matches a specific string
	# This should be updated to manually store the hash in the session table using 'session add [SSL::session_id] [X509::hash $client_cert]'
	when CLIENTSSL_CLIENTCERT {
	  set client_cert [SSL::cert 0]
	  log local0. "Cert hash - [X509::hash $client_cert]"
	  set cert_hash [X509::hash $client_cert]
	}
	when HTTP_REQUEST {
	  if { [info exist cert_hash] } {
	    if { $cert_hash equals "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"} {
	      HTTP::redirect "https://somesite/"
	    } else {
	      HTTP::redirect "https://someothersite/"
	    }
	  }
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-9.0.0 --First introduced the command.



BIG-IP				  2017-01-31			      iRule(1)