Forum Discussion

gestorm_105037's avatar
gestorm_105037
Icon for Nimbostratus rankNimbostratus
Jan 04, 2012

iRule SSL handshake doesn't run in 10.2.0

I have many problems with my irule.

 

 

I have a BIG-IP in version 9.4.8 and the irule must connect to virtual server in https, there are profile ssl client wich generate a first certificat will keep in cache. On Internet Explorer we must choose 2 times the certificate.

 

I performed an upgrade of my Big-IP in version 10.2.0 but the problem is the same. We tested the irule in version 10.2.0 and the irule doesn't run with SSL handshake, there are failure and TCL error.

 

 

below the irule used:

 

"

 

when CLIENTSSL_HANDSHAKE

 

{

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

if { $ask eq "" } {

 

session add ssl [SSL::sessionid] [SSL::cert 0]

 

}

 

}

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

if { $the_cert != ""}

 

{ HTTP::header insert SSL_CLIENT_CERT [X509::whole $the_cert]

 

}

 

log local0.info "Request GET [HTTP::uri]\n"

 

log local0.info "Connection : [IP::remote_addr] -> [IP::local_addr] with method : [HTTP::method] and URI : [HTTP::uri] / X-Forwarded-For : [HTTP::header X-Forwarded-For] / SSL Certificate : [HTTP::header SSL_CLIENT_CERT]"

 

 

}

 

when HTTP_RESPONSE {

 

if {[HTTP::is_redirect]}{

 

Rewrite the Location header from http to https

 

HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]

 

log local0.info "F5 Redirect to [HTTP::header Location]"

 

}

 

log local0.info "APACHE Response : [HTTP::status], Location : [HTTP::header Location]\n"

 

}

 

"

 

 

If you already had this kind of problem please can you help me.

 

 

Thanks for your help,

 

 

 

2 Replies

  • can you try SOL11987?

     

     

    SSL::sessionid

     

    Returns the current connection's SSL session ID if it exists in the session cache.

     

    In version 10.x, if the session ID does not exist in the cache, returns a null string.

     

    In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987)

     

     

    SSL::sessionid wiki

     

    http://devcentral.f5.com/wiki/iRules.SSL__sessionid.ashx
  • You're attempting to add the client's certificate to the session table every time an SSL handshake is completed and the client's session ID isn't already in the SSL session cache. This will fail with a runtime TCL error if the client tries to resume an existing session, after the TMM session expires, but doesn't include the client cert.

     

     

    If you want to insert the details for a cert in the HTTP headers, you can use an iRule like this instead:

     

    http://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx

     

     

    This iRule accounts for the change in behavior that Nitass described for SSL::sessionid.

     

     

    Aaron