1, Get ssl debug log by:
On F5 cli:
#modify /sys db log.ssl.level value Warning
#tail -f /var/log/ltm
On client side:
#openssl s_client -connect 10.12.23.115:443 -key client1.key -cert client1.crt
GET / HTTP/1.0
On F5 cli:
#modify /sys db log.ssl.level value Warning
#tail -f /var/log/ltm
On client side:
#openssl s_client -connect 10.12.23.115:443 -key client1.key -cert client1.crt
GET / HTTP/1.0
Check log and find error number
2, Add irule in the virtual server to get more information about client cert verification:
when CLIENTSSL_CLIENTCERT {
log LOCAL0.debug “nbr certs: [SSL::cert count] verifyResult: [SSL::verify_result] // [X509::verify_cert_error_string [SSL::verify_result]]”
set i 0
while {$i < [SSL::cert count]} {
log LOCAL0.debug "[X509::subject [SSL::cert $i]]"
incr i
}
when CLIENTSSL_CLIENTCERT {
log LOCAL0.debug “nbr certs: [SSL::cert count] verifyResult: [SSL::verify_result] // [X509::verify_cert_error_string [SSL::verify_result]]”
set i 0
while {$i < [SSL::cert count]} {
log LOCAL0.debug "[X509::subject [SSL::cert $i]]"
incr i
}
3, ssldump for trouble ssl session
a) use find to find the path of keyfile
[user@xxx:/S1-green-P:Active:In Sync] / # find -iname *.key*
for example
/config/filestore/files_d/partition_d/certificate_key_d/:xxx:sbb-prod.key_104322_1
b) ssldump -A -d -k -n -i
-A Print all fields
-d Show application data when private key is provided via -k
-k Private key file, found in /config/ssl/ssl.key/; the key file can be located under client SSL profile
-n Do not try to resolve PTR records for IP addresses
-i The capture VLAN name is the ingres VLAN for the TLS traffic
For example:
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -A -k ./config/filestore/files_d/partition_d/certificate_key_d/:partition:1410ws.verifiering.hsa.sjunet.org.key_98094_1 -i 0.0 host 10.250.14.130 and port 443
a) use find to find the path of keyfile
[user@xxx:/S1-green-P:Active:In Sync] / # find -iname *.key*
for example
/config/filestore/files_d/partition_d/certificate_key_d/:xxx:sbb-prod.key_104322_1
b) ssldump -A -d -k -n -i
-A Print all fields
-d Show application data when private key is provided via -k
-k Private key file, found in /config/ssl/ssl.key/; the key file can be located under client SSL profile
-n Do not try to resolve PTR records for IP addresses
-i The capture VLAN name is the ingres VLAN for the TLS traffic
For example:
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -A -k ./config/filestore/files_d/partition_d/certificate_key_d/:partition:1410ws.verifiering.hsa.sjunet.org.key_98094_1 -i 0.0 host 10.250.14.130 and port 443
key file is not needed to be specified when we only want to check ssl handshake information, not application data:
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -ni 0.0 host 10.250.14.130 and port 443
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -ni 0.0 host 10.250.14.130 and port 443
No comments:
Post a Comment