Fortinet Document Library

Version:


Table of Contents

5.3.0
Download PDF
Copy Link

SSL commands

SSL:cipher()

Returns the cipher in handshake..

Syntax

SSL:cipher();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client_handshake\n")

ci=SSL:cipher();

debug("Cipher: %s \n",ci);

}

Result: (if client send https request with cipher ECDHE-RSA-DES-CBC3-SHA)

Cipher: ECDHE-RSA-DES-CBC3-SHA

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:version()

Returns the SSL version in handshake.

Syntax

SSL:version();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ver=SSL:version();

debug("SSL Version: %s \n",ver);

}

Result: (client send https request with various version)

client handshake

SSL Version: TLSv1

or

client handshake

SSL Version: TLSv1.1

or

client handshake

SSL Version: TLSv1.2

or

client handshake

SSL Version: SSLv3

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:alg_keysize()

Returns the SSL encryption keysize in handshake..

Syntax

SSL:alg_keysize();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ci=SSL:cipher();

key=SSL:alg_keysize();

debug("Cipher: %s\n",ci)

debug("Alg key size: %s \n",key);

}

Result: (client send https request with various ciphers)

client handshake

Cipher: ECDHE-RSA-RC4-SHA

Alg key size: 128

or

client handshake

Cipher: ECDHE-RSA-DES-CBC3-SHA

Alg key size: 168

or

client handshake

Cipher: EDH-RSA-DES-CBC-SHA

Alg key size: 56

or

client handshake

Cipher: ECDHE-RSA-AES256-GCM-SHA384

Alg key size: 256

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:client_cert()

Returns the status of client-certificate-verify, whether or not it is enabled.

Syntax

SSL:client_cert();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cc=SSL:client_cert();

debug("Client cert: %s \n",cc);

}

Result:

1. If not verify certificate is not set.

Debug output:

client handshake

Client cert: false

2. If enabled verify in client-ssl-profile.

config system certificate certificate_verify

edit "verify"

config group_member

edit 2

set ca-certificate ca6

next

end

next

end

config load-balance client-ssl-profile

edit "csp"

set client-certificate-verify verify

next

end

debug output:

client handshake

Client cert: true

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:sni()

Returns the SNI or false(if no).

Syntax

SSL:sni();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

debug("client handshake\n")

cc=SSL:sni();

debug("SNI: %s \n",cc);

}

Result:

Enable sni in client-ssl-profile

config load-balance client-ssl-profile

edit "csp"

set client-sni-required enable

next

end

1.client send https request without sni

[root@NxLinux certs]# openssl s_client -connect 5.1.1.100:443

Debug output:

Client handshake

SNI: false

2. client send https request with sni

openssl s_client -connect 5.1.1.100:443 -servername 4096-rootca-rsa-server1

debug output :

client handshake

SNI: 4096-rootca-rsa-server1

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:npn()

Returns the next protocol negotiation strig or false(if no).

Syntax

SSL:npn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

npn = SSL:npn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:alpn()

Allow you to get the SSL ALPN extension.

Syntax

SSL:alpn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

alpn = SSL:alpn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:session(t)

Allows you to get SSL session id / reused / remove from cache.

Syntax

SSL:session(t);

Arguments

Name Description

t

A table which specifies the operation to the session.

Examples

when CLIENTSSL_HANDSHAKE {

t={}

t[“operation”] = “get_id”; --can be “get_id” or “remove” or “reused”

sess_Id = SSL:session(t)

if sess_id then

id = to_HEX(sess_id)

debug(“client sess id %s\n”, id)

else

sess_id = “FALSE”

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert(t)

Allow you to get the cert info between local or remote

Syntax

SSL:cert(t);

Arguments

Name Description

t

A table which specifies the cert direction, and operation.

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

t={}

t["direction"]="remote";

t["operation"]="index";

t["idx"]=0;

t["type"]="info";

cert=SSL:cert(t)

if cert then

debug("client has cert\n")

end

for k,v in pairs(cert) do

if k=="serial_number" or k=="digest" then

debug("cert info name %s, value in HEX %s\n", k, to_HEX(v));

else

debug("cert info name %s, value %s\n", k, v);

end

end

}

Note: 

direction: local and remote. In CLIENTSSL_HANDSHAKE, local means FortiADC's cert, remote means client's cert.

operation: index, count, issuer

type: info, der, (pem)

this command return a table, it contains all info in the cert.

in the return, contain: key_algorithm, hash, serial_number, not Before, not After, signature_algorithm, version, digest, issuer_name, subject_name, old_hash, pin-sha256, finger_print.

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert_der()

Retun the der certificate when client enable verify certificate.

Syntax

SSL:cert_der();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cder=SSL:cert_der();

--debug("cder in HEX %s\n", to_HEX(cder));

if cder then

cder_hex=b64_enc_str(cder);

debug("whole cert : %s\n", cder_hex);

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE

SSL:peer_cert(str)

Returns the peer certificate

Syntax

SSL:peer_cert(str);

Arguments

Name Description

str

A string which specifies the cert format.

Examples

when CLIENTSSL_HANDSHAKE {

cder = SSL:peer_cert(“der”); --for remote leaf certificate, the input parameter can be “info” or “der” or “pem”

if cder then

hash = sha1_hex_str(cder)

debug(“whole cert sha1 hash is: %s\n”, hash)

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL commands

SSL:cipher()

Returns the cipher in handshake..

Syntax

SSL:cipher();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client_handshake\n")

ci=SSL:cipher();

debug("Cipher: %s \n",ci);

}

Result: (if client send https request with cipher ECDHE-RSA-DES-CBC3-SHA)

Cipher: ECDHE-RSA-DES-CBC3-SHA

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:version()

Returns the SSL version in handshake.

Syntax

SSL:version();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ver=SSL:version();

debug("SSL Version: %s \n",ver);

}

Result: (client send https request with various version)

client handshake

SSL Version: TLSv1

or

client handshake

SSL Version: TLSv1.1

or

client handshake

SSL Version: TLSv1.2

or

client handshake

SSL Version: SSLv3

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:alg_keysize()

Returns the SSL encryption keysize in handshake..

Syntax

SSL:alg_keysize();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ci=SSL:cipher();

key=SSL:alg_keysize();

debug("Cipher: %s\n",ci)

debug("Alg key size: %s \n",key);

}

Result: (client send https request with various ciphers)

client handshake

Cipher: ECDHE-RSA-RC4-SHA

Alg key size: 128

or

client handshake

Cipher: ECDHE-RSA-DES-CBC3-SHA

Alg key size: 168

or

client handshake

Cipher: EDH-RSA-DES-CBC-SHA

Alg key size: 56

or

client handshake

Cipher: ECDHE-RSA-AES256-GCM-SHA384

Alg key size: 256

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:client_cert()

Returns the status of client-certificate-verify, whether or not it is enabled.

Syntax

SSL:client_cert();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cc=SSL:client_cert();

debug("Client cert: %s \n",cc);

}

Result:

1. If not verify certificate is not set.

Debug output:

client handshake

Client cert: false

2. If enabled verify in client-ssl-profile.

config system certificate certificate_verify

edit "verify"

config group_member

edit 2

set ca-certificate ca6

next

end

next

end

config load-balance client-ssl-profile

edit "csp"

set client-certificate-verify verify

next

end

debug output:

client handshake

Client cert: true

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:sni()

Returns the SNI or false(if no).

Syntax

SSL:sni();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

debug("client handshake\n")

cc=SSL:sni();

debug("SNI: %s \n",cc);

}

Result:

Enable sni in client-ssl-profile

config load-balance client-ssl-profile

edit "csp"

set client-sni-required enable

next

end

1.client send https request without sni

[root@NxLinux certs]# openssl s_client -connect 5.1.1.100:443

Debug output:

Client handshake

SNI: false

2. client send https request with sni

openssl s_client -connect 5.1.1.100:443 -servername 4096-rootca-rsa-server1

debug output :

client handshake

SNI: 4096-rootca-rsa-server1

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:npn()

Returns the next protocol negotiation strig or false(if no).

Syntax

SSL:npn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

npn = SSL:npn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:alpn()

Allow you to get the SSL ALPN extension.

Syntax

SSL:alpn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

alpn = SSL:alpn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:session(t)

Allows you to get SSL session id / reused / remove from cache.

Syntax

SSL:session(t);

Arguments

Name Description

t

A table which specifies the operation to the session.

Examples

when CLIENTSSL_HANDSHAKE {

t={}

t[“operation”] = “get_id”; --can be “get_id” or “remove” or “reused”

sess_Id = SSL:session(t)

if sess_id then

id = to_HEX(sess_id)

debug(“client sess id %s\n”, id)

else

sess_id = “FALSE”

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert(t)

Allow you to get the cert info between local or remote

Syntax

SSL:cert(t);

Arguments

Name Description

t

A table which specifies the cert direction, and operation.

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

t={}

t["direction"]="remote";

t["operation"]="index";

t["idx"]=0;

t["type"]="info";

cert=SSL:cert(t)

if cert then

debug("client has cert\n")

end

for k,v in pairs(cert) do

if k=="serial_number" or k=="digest" then

debug("cert info name %s, value in HEX %s\n", k, to_HEX(v));

else

debug("cert info name %s, value %s\n", k, v);

end

end

}

Note: 

direction: local and remote. In CLIENTSSL_HANDSHAKE, local means FortiADC's cert, remote means client's cert.

operation: index, count, issuer

type: info, der, (pem)

this command return a table, it contains all info in the cert.

in the return, contain: key_algorithm, hash, serial_number, not Before, not After, signature_algorithm, version, digest, issuer_name, subject_name, old_hash, pin-sha256, finger_print.

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert_der()

Retun the der certificate when client enable verify certificate.

Syntax

SSL:cert_der();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cder=SSL:cert_der();

--debug("cder in HEX %s\n", to_HEX(cder));

if cder then

cder_hex=b64_enc_str(cder);

debug("whole cert : %s\n", cder_hex);

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE

SSL:peer_cert(str)

Returns the peer certificate

Syntax

SSL:peer_cert(str);

Arguments

Name Description

str

A string which specifies the cert format.

Examples

when CLIENTSSL_HANDSHAKE {

cder = SSL:peer_cert(“der”); --for remote leaf certificate, the input parameter can be “info” or “der” or “pem”

if cder then

hash = sha1_hex_str(cder)

debug(“whole cert sha1 hash is: %s\n”, hash)

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE