Forum Discussion

Anthony_Gerace_'s avatar
Anthony_Gerace_
Historic F5 Account
Oct 12, 2006

ClientSSL_clientCert variables not avail in HTTP_Request

Hi All,

I am working on an iRule that inserts the client certificate issuer and subject fields as a header for a terminated application. The following rule passes syntax checking, thou I see the logged output from the clientssl event, the log statement from the http_request even shows the certData variable as being null. Any reason why I can't access local variable created in clientssl_clientcert event.

Thanks for your help.

Anthony


when CLIENTSSL_CLIENTCERT {
  set certData  "[X509::issuer [SSL::cert 0]], [X509::subject [SSL::cert 0]]"
  log local0.  "CertData is $certData"
}
  when HTTP_REQUEST {
 log local0. "CertData is $certData"
    if { [string length $certData] > 2 } {
   HTTP::header insert x-fvb2bs-client-cert $certData
   log local0. "Client [IP::remote_addr] had certificate $certData"}
      pool fvb2bs-443-p-mko
}

Excerpt from ltm logfile:

Oct 12 09:26:39 tmm tmm[11163]: Rule fvb2bs-cert-fields-ag : CertData is /C=US/O=FMR Corp./OU=PKI Test CA, /C=US/O=FMR Corp./OU=Applications/OU=B2B/CN=fvb2bs-test-client-access.fmr.com

Oct 12 09:26:41 tmm tmm[11163]: 01220001:3: TCL error: Rule fvb2bs-cert-fields-ag - can't read "certData": no such variable while executing "log local0. "CertData is $certData""

application delivery
dev
devops
iRules

6 Replies

Sort By
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Oct 12, 2006
    Have you tried setting this as a global variable?

    
when CLIENTSSL_CLIENTCERT {
  set ::certData  "[X509::issuer [SSL::cert 0]], [X509::subject [SSL::cert 0]]"
  log local0.  "CertData is $::certData"
}
  when HTTP_REQUEST {
    log local0. "CertData is $::certData"
    if { [string length $::certData] > 2 } {
      HTTP::header insert x-fvb2bs-client-cert $::certData
      log local0. "Client [IP::remote_addr] had certificate $::certData"
    }
    pool fvb2bs-443-p-mko
}

    Colin
  • Anthony_Gerace_'s avatar
    Anthony_Gerace_
    Historic F5 Account
    Oct 12, 2006
    Hi Colin,

     

    Setting certData as a global variable does work. It is my understanding that local variables are shared between the different events for a given virtual. Is this not the case?

     

     

    Is the CLIENTSSL_CLIENTCERT event in a different namespace?

     

     

    If I use global variables are they only available with-in the given virtual or "globally" across the device?

     

     

    Thanks.

     

     

     

    Anthony
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Oct 18, 2006
    Hi Anthony -

     

     

    It's my understanding that local variables are supposed to be shared across events without exception. I am not aware of any events operating in separate namespace, and I can't imagine the logic that might support an exception in this case...

     

     

    Global variables are available across the device, so different variable names in different iRules may be required if you don't intend to share that value across iRules.

     

     

    I don't think setting a global variable will work in this case, as each new client connection will update the global variable, which will result in using the last connection's cert info for each HTTP request.

     

     

    /deb

     

     

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Oct 18, 2006
    BTW, It's likely that you are getting the HTTP_REQUEST event before the CLIENTSSL_CLIENTCERT event.
  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Oct 22, 2006
    I don't think setting a global variable will work in this case, as each new client connection will update the global variable, which will result in using the last connection's cert info for each HTTP request.

     

     

    Indeed - I think it's best to serialise the cert data into the session table with a "session add " (I think that's the right parameters from memory), and then look the data up in the HTTP_REQUEST event.

     

     

    I think the CLIENTSSL_CLIENTCERT event will only be triggered once per initial SSL negotiation (so SSL resumes won't fire it), so you only populate the session table once per client.
  • Steve_Rice_8783's avatar
    Steve_Rice_8783
    Icon for Nimbostratus rankNimbostratus
    Nov 15, 2006
    gerace - could you post your final irule? I am working on the same thing and have the blank cert info when my HTTPS_REQUEST is hit.

     

     

    Thanks

     

    Steve