Forum Discussion
hooleylist
Dec 02, 2009Cirrostratus
Hi Mike,
Sorry for not being clearer--I was thinking you already had a fair amount of debug logging in the iRule. I was confusing it with another post. Could you add debug logging to each major code block in the existing iRule and post the /var/log/ltm output from a failure. Here's an example of the kind of info that would be helpful:
when CLIENT_ACCEPTED {
set needcert 0
set gotcert 0
set badcert 0
set tmm_auth_ssl_ocsp_sid 0
set tmm_auth_ssl_ocsp_done 0
log local0. "[IP::client_addr]:[TCP::client_port]: New TCP connection"
}
when CLIENTSSL_HANDSHAKE {
log local0. "[IP::client_addr]:[TCP::client_port]: Cert count: [SSL::cert count]"
set certcnt [SSL::cert count]
if { $certcnt > 0 } {
log local0. "[IP::client_addr]:[TCP::client_port]: Cert0 subject: [X509::subject [SSL::cert 0]]. Releasing HTTP."
set gotcert 1
HTTP::release
}
}
when CLIENTSSL_CLIENTCERT {
set tmm_auth_ssl_ocsp_done 0
if { $needcert == 1 and $tmm_auth_ssl_ocsp_sid == 0} {
set tmm_auth_ssl_ocsp_sid [AUTH::start pam ssl_ocsp_prod]
AUTH::subscribe $tmm_auth_ssl_ocsp_sid
set varcert [SSL::cert 0]
AUTH::cert_credential $tmm_auth_ssl_ocsp_sid $varcert
AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
AUTH::authenticate $tmm_auth_ssl_ocsp_sid
set id [SSL::sessionid]
set ssl_array [list blah1 blah2]
lset ssl_array 0 [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "[IP::client_addr]:[TCP::client_port]: SessionID: [SSL::sessionid],\
SSL verify result: [X509::verify_cert_error_string [SSL::verify_result]]. Holding SSL handshake."
SSL::handshake hold
}
}
...
Aaron