johnko05_45751
Sep 08, 2010Nimbostratus
iRule v9 to v10 conversion
Hello, I used the iRule below just fine on version 9.4.8. We recently upgraded to 10.2. Now I get the following error in /var/log/ltm whenever this iRule is invoked:
Sep 7 23:17:41 local/tmm1 err tmm1[18638]: 01220001:3: TCL error: SSL_Header_Values_Insert - wrong args: should be "session add ssl " while executing "session add ssl [SSL::sessionid] $cert 600" clientside expression (line 3) invoked from within "clientside { set cert "SSL::cert" session add ssl [SSL::sessionid] $cert 600 set cname "SSL::cipher name" set cbits "SSL::cipher b..."
I tried playing around with the "session add ssl" line like so:
set sid "SSL::sessionid"
session add ssl $sid $cert 600
That allowed the processing to continue, however it also caused the BIGIP to panic and reboot! Below is the iRule from 9.4.8. Is there a syntax change I need to make for this to work in v10.2?
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
HTTP::release
}
}
when CLIENTSSL_CLIENTCERT {
clientside {
set cert "SSL::cert"
session add ssl [SSL::sessionid] $cert 600
set cname "SSL::cipher name"
set cbits "SSL::cipher bits"
set cver "SSL::cipher version"
set cn [X509::subject [eval $cert 0]]
set cSSLSubject [findstr $cn "CN=" 3 ","]
set cSSLClientCert [b64encode [eval $cert 0]]
}
}
when HTTP_REQUEST {
clientside {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
HTTP::collect
SSL::renegotiate
log local4.info "SSL session Timed out: renegotiating"
log local4.info "The page being accessed was [HTTP::uri]"
} else {
HTTP::header remove SSLSubject
HTTP::header remove SSLClientCert
HTTP::header remove SSLCipher
HTTP::header remove WebProtocol
HTTP::header remove ClientIP
HTTP::header replace ClientIP [IP::remote_addr]
if { [PROFILE::exists clientssl] == 1} {
HTTP::header replace SSLCipher [eval $cname]:[eval $cbits]-[eval $cver]
if { [eval $cert count] > 0} {
HTTP::header replace SSLSubject $cSSLSubject
HTTP::header replace SSLClientCert $cSSLClientCert
HTTP::header replace WebProtocol "HTTPS-auth"
} else {
HTTP::header replace WebProtocol "HTTPS"
}
} else {
log "session discarded"
discard
}
}
}
}