Forum Discussion
CREDCO_17916
Apr 10, 2008Nimbostratus
Hi,
This still isn't working for me. At this point all I'm trying to do is put the SSL information into the persistence table. However when I hit the VIP that this iRule is assigned to, I get this in the LTM log. I've imported my CA onto the BigIP, I assigned that CA to the ClientSSL profile that I configured for the Virtual Server, and from the logs below it looks like BigIP is decrypting the client cert and extracting the SSL ID. But it still doesn't like something about the last line in the iRule where I'm trying to enter the SSL info into the persistence table. It appears to me that it doesn't think the "when CLIENTSSL_CLIENTCERT" condition is true, at least that's how I interpret the error.
Apr 10 16:41:46 tmm tmm[943]: Rule CC_2 : ===========================
Apr 10 16:41:46 tmm tmm[943]: Rule CC_2 : <>
Apr 10 16:41:46 tmm tmm[943]: Rule CC_2 : The timeout is set to: 300
Apr 10 16:41:46 tmm tmm[943]: Rule CC_2 : SSL Error is: ok
Apr 10 16:41:46 tmm tmm[943]: Rule CC_2 : SSL ID is: 55b2a9a2a30217fe6af49fdf555090099da4be966027c74a515c2b0fbee2dd68
Apr 10 16:41:46 tmm tmm[943]: 01220001:3: TCL error: Rule CC_2 - Prerequisite operation not in progress (line 1) invoked from within "session add ssl [SSL::sessionid] $ssl_stuff $session_timeout"
when CLIENTSSL_CLIENTCERT {
log local0. "==========================="
log local0. "<>"
set time to maintain session data (in seconds)
set session_timeout 300
set ssl_stuff [list anything1 anything2]
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
set ssl_id [SSL::sessionid]
log local0. "SSL Error is: $ssl_errstr"
lset ssl_stuff 0 $ssl_cert
lset ssl_stuff 1 $ssl_errstr
log local0. "SSL ID is: $ssl_id"
session add ssl [SSL::sessionid] $ssl_stuff $session_timeout
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
log local0. "HTTP_REQUEST: SSLStuff: $ssl_stuff2"
log local0. "HTTP_REQUEST: SSLCert: $ssl_cert2"
log local0. "HTTP_REQUEST: SSLErrStr: $ssl_errstr2"
if { $ssl_errstr2 eq "ok" } {
our stuff
} else {
log local0. "HTTP_REQUEST: SSLErrStr2 not OK: $ssl_errstr2"
}
}
I know this iRule isn't very exciting, but I would definitely appreciate any help you could provide.
thank you