SSL commands
SSL commands contain functions for obtaining SSL related information, such as obtaining certificates and SNI:
SSL:cipher() — Returns the cipher in the handshake.
SSL:version() — Returns the SSL version in the handshake.
SSL:alg_keysize() — Returns the SSL encryption key size in the handshake.
SSL:client_cert() — Returns the status of client-certificate-verify, whether or not it is enabled.
SSL:sni() — Returns the SNI or false (if no SNI).
SSL:npn() — Returns the next protocol negotiation string or false (if no NPN).
SSL:alpn() — Allows you to get the SSL ALPN extension.
SSL:session(t) — Allows you to get SSL session ID, reuse the session, or remove it from the cache.
SSL:cert(t) — Allows you to get the certificate information between local or remote.
SSL:cert_der() — Returns the DER certificate when the client enables verify certificate.
SSL:peer_cert(str) — Returns the peer certificate.
SSL:cipher()
Returns the cipher in the handshake.
Syntax
SSL:cipher();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE{ debug("client_handshake\n") ci=SSL:cipher(); debug("Cipher: %s \n",ci); } Result: (if client send https request with cipher ECDHE-RSA-DES-CBC3-SHA) Cipher: ECDHE-RSA-DES-CBC3-SHA
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE
SSL:version()
Returns the SSL version in the handshake.
Syntax
SSL:version();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE{ debug("client handshake\n") ver=SSL:version(); debug("SSL Version: %s \n",ver); } Result: (client send https request with various version) client handshake SSL Version: TLSv1 or client handshake SSL Version: TLSv1.1 or client handshake SSL Version: TLSv1.2 or client handshake SSL Version: SSLv3
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE
SSL:alg_keysize()
Returns the SSL encryption key size in the handshake.
Syntax
SSL:alg_keysize();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE{ debug("client handshake\n") ci=SSL:cipher(); key=SSL:alg_keysize(); debug("Cipher: %s\n",ci) debug("Alg key size: %s \n",key); } Result: (client send https request with various ciphers) client handshake Cipher: ECDHE-RSA-RC4-SHA Alg key size: 128 or client handshake Cipher: ECDHE-RSA-DES-CBC3-SHA Alg key size: 168 or client handshake Cipher: EDH-RSA-DES-CBC-SHA Alg key size: 56 or client handshake Cipher: ECDHE-RSA-AES256-GCM-SHA384 Alg key size: 256
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE
SSL:client_cert()
Returns the status of client-certificate-verify, whether or not it is enabled.
Syntax
SSL:client_cert();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE{ debug("client handshake\n") cc=SSL:client_cert(); debug("Client cert: %s \n",cc); }
Result:
-
If not verify certificate is not set:
Debug output:
client handshake
Client cert: false
-
If enabled verify in client-ssl-profile:
config system certificate certificate_verify edit "verify" config group_member edit 2 set ca-certificate ca6 next end next end config load-balance client-ssl-profile edit "csp" set client-certificate-verify verify next end debug output: client handshake Client cert: true
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:sni()
Returns the SNI or false (if no SNI).
Syntax
SSL:sni();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE { debug("client handshake\n") cc=SSL:sni(); debug("SNI: %s \n",cc); }
Result:
Enable sni in client-ssl-profile
config load-balance client-ssl-profile
edit "csp"
set client-sni-required enable
next
end
-
Client sends HTTPS request without SNI:
[root@NxLinux certs]# openssl s_client -connect 5.1.1.100:443 Debug output: Client handshake SNI: false
-
Client sends HTTPS request with SNI:
openssl s_client -connect 5.1.1.100:443 -servername 4096-rootca-rsa-server1 debug output : client handshake SNI: 4096-rootca-rsa-server1
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:npn()
Returns the next protocol negotiation string or false (if no NPN).
Syntax
SSL:npn();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE { npn = SSL:npn() }
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:alpn()
Allows you to get the SSL ALPN extension.
Syntax
SSL:alpn();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE { alpn = SSL:alpn() }
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:session(t)
Allows you to get SSL session ID, reuse the session, or remove it from the cache.
Syntax
SSL:session(t);
Arguments
Name | Description |
---|---|
t |
A table which specifies the operation to the session. |
Example
when CLIENTSSL_HANDSHAKE { t={} t[“operation”] = “get_id”; --can be “get_id” or “remove” or “reused” sess_Id = SSL:session(t) if sess_id then id = to_HEX(sess_id) debug(“client sess id %s\n”, id) else sess_id = “FALSE” end }
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:cert(t)
Allows you to get the certificate information between local or remote.
Syntax
SSL:cert(t);
Arguments
Name | Description |
---|---|
t |
A table which specifies the certificate direction, and operation. |
Example
when CLIENTSSL_HANDSHAKE{ debug("client handshake\n") t={} t["direction"]="remote"; t["operation"]="index"; t["idx"]=0; t["type"]="info"; cert=SSL:cert(t) if cert then debug("client has cert\n") end for k,v in pairs(cert) do if k=="serial_number" or k=="digest" then debug("cert info name %s, value in HEX %s\n", k, to_HEX(v)); else debug("cert info name %s, value %s\n", k, v); end end }
Note:
-
direction: local and remote. In CLIENTSSL_HANDSHAKE, local means FortiADC's cert, remote means client's cert.
-
operation: index, count, issuer
-
type: info, der, (pem)
This command returns a table that contains all the information in the certificate.
In the return, it contains: key_algorithm, hash, serial_number, not Before, not After, signature_algorithm, version, digest, issuer_name, subject_name, old_hash, pin-sha256, finger_print.
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE
SSL:cert_der()
Returns the DER certificate when the client enables verify certificate.
Syntax
SSL:cert_der();
Arguments
N/A
Example
when CLIENTSSL_HANDSHAKE{ debug("client handshake\n") cder=SSL:cert_der(); --debug("cder in HEX %s\n", to_HEX(cder)); if cder then cder_hex=b64_enc_str(cder); debug("whole cert : %s\n", cder_hex); end }
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE
SSL:peer_cert(str)
Returns the peer certificate.
Syntax
SSL:peer_cert(str);
Arguments
Name | Description |
---|---|
str |
A string which specifies the certificate format. |
Example
when CLIENTSSL_HANDSHAKE { cder = SSL:peer_cert(“der”); --for remote leaf certificate, the input parameter can be “info” or “der” or “pem” if cder then hash = sha1_hex_str(cder) debug(“whole cert sha1 hash is: %s\n”, hash) end }
FortiADC version: V5.0
Used in events: CLIENTSSL_HANDSHAKE / SERVERSSL_HANDSHAKE / CLIENTSSL_RENEGOTIATE / SERVERSSL_RENEGOTIATE