Hi Al,
I'd guess the client isn't actually presenting a cert and so there isn't valid output from the first X509 command. Can you log the string length of $cert when the error occurs? Or if you're not able to reproduce the error at will, you could add logic to prevent the issue from happening:
when CLIENTSSL_CLIENTCERT {
Check if the cert output isn't null
if {[SSL::cert 0] ne ""}{
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800
}
}
Aaron