DataScript: avi.ssl.client_cert

DataScript

New API Arguments avi.ssl.client_cert( [[avi.CLIENT_CERT] [, avi.CLIENT_CERT_FINGERPRINT] [, avi.CLIENT_CERT_SUBJECT] [, avi.CLIENT_CERT_ISSUER] [, avi.CLIENT_CERT_SERIAL][, avi.CLIENT_CERT_NOTVALIDBEFORE] [, avi.CLIENT_CERT_NOTVALIDAFTER] [, avi.CLIENT_CERT_VERSION][, avi.CLIENT_CERT_SIGALG][, avi.CLIENT_CERT_ESCAPED] avi.CLIENT_CERT_SAN_EXTENSION] [, avi.CLIENT_CERT_X509_EXTENSIONS] ] )
Description Returns the client certificate in the PEM format for an established SSL connection. Optional parameters will filter the fields returned from the client certificate.
Events HTTP_REQ
HTTP_RESP
SSL_HANDSHAKE_DONE
HTTP LB Done
Parameters When no argument or `avi.CLIENT_CERT` is specified, returns the client certificate in the PEM format for an established SSL connection from the client to the virtual service, with each line except the first prepended with the tab character.
  • avi.CLIENT_CERT_NOTVALIDBEFORE: Returns the not valid before time from the client certificate
  • avi.CLIENT_CERT_NOTVALIDAFTER: Returns the not valid after time from the client certificate
  • avi.CLIENT_CERT_VERSION: Returns the version number of the client certificate
  • avi.CLIENT_CERT_SIGALG: Returns the signature algorithm of the client certificate
  • avi.CLIENT_CERT_SUBJECT: Returns the subject DN string
  • avi.CLIENT_CERT_ISSUER: Returns the issuer DN string
  • avi.CLIENT_CERT_SERIAL: Returns the serial number
  • avi.CLIENT_CERT_FINGERPRINT: Returns the SHA1 fingerprint (hash) of the cert
  • avi.CLIENT_CERT_ESCAPED: Returns the encoded PEM certificate
  • avi.CLIENT_CERT_SAN_EXTENSIONS: Returns the Subject Alternative Name (SAN) extension in the client certificate
  • avi.CLIENT_CERT_X509_EXTENSIONS: Returns all x509 extensions in the client certificate
    • Note: Starting with Avi Vantage version 21.1.3, the parameters [,avi.CLIENT_CERT_SAN_EXTENSION] and [, avi.CLIENT_CERT_X509_EXTENSIONS] are introduced.
Returns Up to nine arguments, pertaining to the client cert and its fields.
Example 1 If the cert's issuer isn't correct, add the issuer to a header and forward to a quarantine server pool.

 if avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER) ~=
    "/C=US/O=foo/OU=www.foo.com/CN=www.foo.com/email=admin@foo.com" then
    avi.http.add_header("client_cert_issuer", 
       avi.ssl.client_cert(avi.CLIENT_CERT_ISSUER))
    avi.pool.select("Quarantine-Pool")
 end
Example 2 Logs the client cert attributes for the SSL connection.
if avi.http.secure() then -- test if the connection is secure
   fingerprint = avi.ssl.client_cert(avi.CLIENT_CERT_FINGERPRINT)
   avi.vs.log(fingerprint)
end
Example 3 When you send a client certificate in a HTTP request, the client escaped certificate in displayed in the DS/HTTP policy header. 
 escaped_cert = avi.ssl.client_cert(avi.CLIENT_CERT_ESCAPED)
  avi.vs.log(escaped_cert)
  avi.http.add_header("escaped_client_cert",escaped_cert)

Note: This API is not supported in the events SSL_PRECONNECT and SSL_CLIENTHELLO.

Document Revision History

Date Change Summary
December 20, 2021 Updated Datascript details (client certificate) for 21.1.3