iRule v9 to v10 conversion

Hello, I used the iRule below just fine on version 9.4.8. We recently upgraded to 10.2. Now I get the following error in /var/log/ltm whenever this iRule is invoked:

 

 

Sep 7 23:17:41 local/tmm1 err tmm1[18638]: 01220001:3: TCL error: SSL_Header_Values_Insert - wrong args: should be "session add ssl " while executing "session add ssl [SSL::sessionid] $cert 600" clientside expression (line 3) invoked from within "clientside { set cert "SSL::cert" session add ssl [SSL::sessionid] $cert 600 set cname "SSL::cipher name" set cbits "SSL::cipher b..."

 

 

I tried playing around with the "session add ssl" line like so:

 

 

set sid "SSL::sessionid"

 

session add ssl $sid $cert 600

 

 

That allowed the processing to continue, however it also caused the BIGIP to panic and reboot! Below is the iRule from 9.4.8. Is there a syntax change I need to make for this to work in v10.2?

 

 

when CLIENTSSL_HANDSHAKE {

 

if { [SSL::cert count] > 0 } {

 

HTTP::release

 

}

 

}

 

when CLIENTSSL_CLIENTCERT {

 

clientside {

 

set cert "SSL::cert"

 

session add ssl [SSL::sessionid] $cert 600

 

set cname "SSL::cipher name"

 

set cbits "SSL::cipher bits"

 

set cver "SSL::cipher version"

 

set cn [X509::subject [eval $cert 0]]

 

set cSSLSubject [findstr $cn "CN=" 3 ","]

 

set cSSLClientCert [b64encode [eval $cert 0]]

 

}

 

}

 

when HTTP_REQUEST {

 

clientside {

 

set client_cert [session lookup ssl [SSL::sessionid]]

 

if { $client_cert eq ""} {

 

HTTP::collect

 

SSL::renegotiate

 

log local4.info "SSL session Timed out: renegotiating"

 

log local4.info "The page being accessed was [HTTP::uri]"

 

} else {

 

HTTP::header remove SSLSubject

 

HTTP::header remove SSLClientCert

 

HTTP::header remove SSLCipher

 

HTTP::header remove WebProtocol

 

HTTP::header remove ClientIP

 

HTTP::header replace ClientIP [IP::remote_addr]

 

if { [PROFILE::exists clientssl] == 1} {

 

HTTP::header replace SSLCipher [eval $cname]:[eval $cbits]-[eval $cver]

 

if { [eval $cert count] > 0} {

 

HTTP::header replace SSLSubject $cSSLSubject

 

HTTP::header replace SSLClientCert $cSSLClientCert

 

HTTP::header replace WebProtocol "HTTPS-auth"

 

} else {

 

HTTP::header replace WebProtocol "HTTPS"

 

}

 

} else {

 

log "session discarded"

 

discard

 

}

 

}

 

}

 

}