Fortinet black logo

Script Reference Guide

Home FortiADC 5.4.1 Script Reference Guide

SSL commands

5.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.4
7.2.0
6.2.0
5.4.1
5.4.0
5.3.0
Copy Link
Copy Doc ID 65767403-7ad4-11ea-9384-00505692583a:173333
Download PDF

SSL commands

SSL:cipher()

Returns the cipher in handshake..

Syntax

SSL:cipher();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client_handshake\n")

ci=SSL:cipher();

debug("Cipher: %s \n",ci);

}

Result: (if client send https request with cipher ECDHE-RSA-DES-CBC3-SHA)

Cipher: ECDHE-RSA-DES-CBC3-SHA

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:version()

Returns the SSL version in handshake.

Syntax

SSL:version();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ver=SSL:version();

debug("SSL Version: %s \n",ver);

}

Result: (client send https request with various version)

client handshake

SSL Version: TLSv1

or

client handshake

SSL Version: TLSv1.1

or

client handshake

SSL Version: TLSv1.2

or

client handshake

SSL Version: SSLv3

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:alg_keysize()

Returns the SSL encryption keysize in handshake..

Syntax

SSL:alg_keysize();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ci=SSL:cipher();

key=SSL:alg_keysize();

debug("Cipher: %s\n",ci)

debug("Alg key size: %s \n",key);

}

Result: (client send https request with various ciphers)

client handshake

Cipher: ECDHE-RSA-RC4-SHA

Alg key size: 128

or

client handshake

Cipher: ECDHE-RSA-DES-CBC3-SHA

Alg key size: 168

or

client handshake

Cipher: EDH-RSA-DES-CBC-SHA

Alg key size: 56

or

client handshake

Cipher: ECDHE-RSA-AES256-GCM-SHA384

Alg key size: 256

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:client_cert()

Returns the status of client-certificate-verify, whether or not it is enabled.

Syntax

SSL:client_cert();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cc=SSL:client_cert();

debug("Client cert: %s \n",cc);

}

Result:

1. If not verify certificate is not set.

Debug output:

client handshake

Client cert: false

2. If enabled verify in client-ssl-profile.

config system certificate certificate_verify

edit "verify"

config group_member

edit 2

set ca-certificate ca6

next

end

next

end

config load-balance client-ssl-profile

edit "csp"

set client-certificate-verify verify

next

end

debug output:

client handshake

Client cert: true

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:sni()

Returns the SNI or false(if no).

Syntax

SSL:sni();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

debug("client handshake\n")

cc=SSL:sni();

debug("SNI: %s \n",cc);

}

Result:

Enable sni in client-ssl-profile

config load-balance client-ssl-profile

edit "csp"

set client-sni-required enable

next

end

1.client send https request without sni

[root@NxLinux certs]# openssl s_client -connect 5.1.1.100:443

Debug output:

Client handshake

SNI: false

2. client send https request with sni

openssl s_client -connect 5.1.1.100:443 -servername 4096-rootca-rsa-server1

debug output :

client handshake

SNI: 4096-rootca-rsa-server1

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:npn()

Returns the next protocol negotiation strig or false(if no).

Syntax

SSL:npn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

npn = SSL:npn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:alpn()

Allow you to get the SSL ALPN extension.

Syntax

SSL:alpn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

alpn = SSL:alpn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:session(t)

Allows you to get SSL session id / reused / remove from cache.

Syntax

SSL:session(t);

Arguments

Name Description

t

A table which specifies the operation to the session.

Examples

when CLIENTSSL_HANDSHAKE {

t={}

t[“operation”] = “get_id”; --can be “get_id” or “remove” or “reused”

sess_Id = SSL:session(t)

if sess_id then

id = to_HEX(sess_id)

debug(“client sess id %s\n”, id)

else

sess_id = “FALSE”

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert(t)

Allow you to get the cert info between local or remote

Syntax

SSL:cert(t);

Arguments

Name Description

t

A table which specifies the cert direction, and operation.

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

t={}

t["direction"]="remote";

t["operation"]="index";

t["idx"]=0;

t["type"]="info";

cert=SSL:cert(t)

if cert then

debug("client has cert\n")

end

for k,v in pairs(cert) do

if k=="serial_number" or k=="digest" then

debug("cert info name %s, value in HEX %s\n", k, to_HEX(v));

else

debug("cert info name %s, value %s\n", k, v);

end

end

}

Note:

direction: local and remote. In CLIENTSSL_HANDSHAKE, local means FortiADC's cert, remote means client's cert.

operation: index, count, issuer

type: info, der, (pem)

this command return a table, it contains all info in the cert.

in the return, contain: key_algorithm, hash, serial_number, not Before, not After, signature_algorithm, version, digest, issuer_name, subject_name, old_hash, pin-sha256, finger_print.

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert_der()

Retun the der certificate when client enable verify certificate.

Syntax

SSL:cert_der();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cder=SSL:cert_der();

--debug("cder in HEX %s\n", to_HEX(cder));

if cder then

cder_hex=b64_enc_str(cder);

debug("whole cert : %s\n", cder_hex);

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE

SSL:peer_cert(str)

Returns the peer certificate

Syntax

SSL:peer_cert(str);

Arguments

Name Description

str

A string which specifies the cert format.

Examples

when CLIENTSSL_HANDSHAKE {

cder = SSL:peer_cert(“der”); --for remote leaf certificate, the input parameter can be “info” or “der” or “pem”

if cder then

hash = sha1_hex_str(cder)

debug(“whole cert sha1 hash is: %s\n”, hash)

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

Previous
Next

SSL commands

SSL:cipher()

Returns the cipher in handshake..

Syntax

SSL:cipher();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client_handshake\n")

ci=SSL:cipher();

debug("Cipher: %s \n",ci);

}

Result: (if client send https request with cipher ECDHE-RSA-DES-CBC3-SHA)

Cipher: ECDHE-RSA-DES-CBC3-SHA

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:version()

Returns the SSL version in handshake.

Syntax

SSL:version();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ver=SSL:version();

debug("SSL Version: %s \n",ver);

}

Result: (client send https request with various version)

client handshake

SSL Version: TLSv1

or

client handshake

SSL Version: TLSv1.1

or

client handshake

SSL Version: TLSv1.2

or

client handshake

SSL Version: SSLv3

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:alg_keysize()

Returns the SSL encryption keysize in handshake..

Syntax

SSL:alg_keysize();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

ci=SSL:cipher();

key=SSL:alg_keysize();

debug("Cipher: %s\n",ci)

debug("Alg key size: %s \n",key);

}

Result: (client send https request with various ciphers)

client handshake

Cipher: ECDHE-RSA-RC4-SHA

Alg key size: 128

or

client handshake

Cipher: ECDHE-RSA-DES-CBC3-SHA

Alg key size: 168

or

client handshake

Cipher: EDH-RSA-DES-CBC-SHA

Alg key size: 56

or

client handshake

Cipher: ECDHE-RSA-AES256-GCM-SHA384

Alg key size: 256

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE

SSL:client_cert()

Returns the status of client-certificate-verify, whether or not it is enabled.

Syntax

SSL:client_cert();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cc=SSL:client_cert();

debug("Client cert: %s \n",cc);

}

Result:

1. If not verify certificate is not set.

Debug output:

client handshake

Client cert: false

2. If enabled verify in client-ssl-profile.

config system certificate certificate_verify

edit "verify"

config group_member

edit 2

set ca-certificate ca6

next

end

next

end

config load-balance client-ssl-profile

edit "csp"

set client-certificate-verify verify

next

end

debug output:

client handshake

Client cert: true

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:sni()

Returns the SNI or false(if no).

Syntax

SSL:sni();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

debug("client handshake\n")

cc=SSL:sni();

debug("SNI: %s \n",cc);

}

Result:

Enable sni in client-ssl-profile

config load-balance client-ssl-profile

edit "csp"

set client-sni-required enable

next

end

1.client send https request without sni

[root@NxLinux certs]# openssl s_client -connect 5.1.1.100:443

Debug output:

Client handshake

SNI: false

2. client send https request with sni

openssl s_client -connect 5.1.1.100:443 -servername 4096-rootca-rsa-server1

debug output :

client handshake

SNI: 4096-rootca-rsa-server1

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:npn()

Returns the next protocol negotiation strig or false(if no).

Syntax

SSL:npn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

npn = SSL:npn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:alpn()

Allow you to get the SSL ALPN extension.

Syntax

SSL:alpn();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE {

alpn = SSL:alpn()

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:session(t)

Allows you to get SSL session id / reused / remove from cache.

Syntax

SSL:session(t);

Arguments

Name Description

t

A table which specifies the operation to the session.

Examples

when CLIENTSSL_HANDSHAKE {

t={}

t[“operation”] = “get_id”; --can be “get_id” or “remove” or “reused”

sess_Id = SSL:session(t)

if sess_id then

id = to_HEX(sess_id)

debug(“client sess id %s\n”, id)

else

sess_id = “FALSE”

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert(t)

Allow you to get the cert info between local or remote

Syntax

SSL:cert(t);

Arguments

Name Description

t

A table which specifies the cert direction, and operation.

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

t={}

t["direction"]="remote";

t["operation"]="index";

t["idx"]=0;

t["type"]="info";

cert=SSL:cert(t)

if cert then

debug("client has cert\n")

end

for k,v in pairs(cert) do

if k=="serial_number" or k=="digest" then

debug("cert info name %s, value in HEX %s\n", k, to_HEX(v));

else

debug("cert info name %s, value %s\n", k, v);

end

end

}

Note:

direction: local and remote. In CLIENTSSL_HANDSHAKE, local means FortiADC's cert, remote means client's cert.

operation: index, count, issuer

type: info, der, (pem)

this command return a table, it contains all info in the cert.

in the return, contain: key_algorithm, hash, serial_number, not Before, not After, signature_algorithm, version, digest, issuer_name, subject_name, old_hash, pin-sha256, finger_print.

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

SSL:cert_der()

Retun the der certificate when client enable verify certificate.

Syntax

SSL:cert_der();

Arguments: N/A

Examples

when CLIENTSSL_HANDSHAKE{

debug("client handshake\n")

cder=SSL:cert_der();

--debug("cder in HEX %s\n", to_HEX(cder));

if cder then

cder_hex=b64_enc_str(cder);

debug("whole cert : %s\n", cder_hex);

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE

SSL:peer_cert(str)

Returns the peer certificate

Syntax

SSL:peer_cert(str);

Arguments

Name Description

str

A string which specifies the cert format.

Examples

when CLIENTSSL_HANDSHAKE {

cder = SSL:peer_cert(“der”); --for remote leaf certificate, the input parameter can be “info” or “der” or “pem”

if cder then

hash = sha1_hex_str(cder)

debug(“whole cert sha1 hash is: %s\n”, hash)

end

}

FortiADC version: V5.0

Used in events:

Used in CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE

Previous
Next