Forum Discussion

Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Aug 08, 2006

Converted V4 irules not working in V9

I posted this before but the solution I got is not working.

 

 

The situation is as follows:

 

Clients are requested for a client cert, and if that's ok, than they can go on to the protected website. This worked fine in V4 with the following irule:

 

 

if (http_header("SSLClientCertStatus") == one of ccert_ok) {

 

use pool Portal-apps

 

}

 

else if (http_header("SSLClientCertStatus") == "NoClientCert") {

 

redirect to "https://portal.rdc.nl/errors/nocert.htm"

 

}

 

else {

 

redirect to "https://portal.rdc.nl/errors/cert_error.htm"

 

}

 

 

 

The above irule was converted by Joe in the following V9 irule:

 

 

when HTTP_REQUEST {

 

set hdr [HTTP::header "SSLClientCertStatus"]

 

if { [matchclass $hdr equals $::ccert_ok] } {

 

pool Portal-apps

 

} elseif { $hdr equals "NoClientCert" } {

 

HTTP::redirect "https://portal.rdc.nl/errors/nocert.htm"

 

} else { HTTP::redirect "https://portal.rdc.nl/errors/cert_error.htm" }}

 

 

But that didn't work. I also used "log Local0." to see the value of $hdr, but I found out that there was no "SSLCLientCertStatus" in the HTTP::header, so the value was empty

 

 

I also tried the following irule:

 

 

when CLIENTSSL_CLIENTCERT {

 

set result [X509::verify_cert_error_string [SSL::verify_result]]

 

}

 

 

when HTTP_REQUEST {

 

if { $result eq "ok" } {

 

use pool test-pool

 

log local0. "de waarde van het certificaat is: $result" }

 

elseif { $result eq "NoClientCert" } {

 

HTTP::redirect "https://portal.rdc.nl/errors/nocert.htm"

 

log local0. "NoClientCert waarde is: $result" }

 

else {

 

HTTP::redirect "https://portal.rdc.nl/errors/cert_error.htm"

 

log local0. "Error waarde is: $result" }

 

}

 

 

This works only once, and after the login on the server I got redirected toward the error page and I also receive the following logging in the /var/log/ltm:

 

 

Aug 8 08:19:29 tmm tmm[743]: Rule clientssl_clientcert_test : de waarde van het certificaat is: ok

 

Aug 8 08:19:51 tmm tmm[743]: 01220001:3: TCL error: Rule clientssl_clientcert_test - can't read "result": no such variable while executing "if { $result eq "ok" } { use pool test-pool log local0. "de waarde van het certificaat is: $result" } elseif { $result eq "NoClientCert"..."

 

 

Can somebody please help me
application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 08, 2006
    Hi,

     

     

    What version of 9.x are you using? Deb pointed out in this post (Click here) that many of the SSL cert functions that worked in 9.1.x are prone to failing in 9.2.x.

     

     

    If you are running 9.2.x and are having problems with the rule, you might want to work with support to get more information on the issues.

     

     

    Aaron