Forum Discussion

Leszek_Majewsk1's avatar
Leszek_Majewsk1
Icon for Nimbostratus rankNimbostratus
Nov 19, 2007

how to pass variables

why I cannot read stored variables from the previous context ?

 

example:

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set status [X509::verify_cert_error_string [SSL::verify_result]]

 

set subject [X509::subject $cert]

 

set serial [X509::serial_number $cert]

 

set issuer [X509::issuer $cert]

 

set values [list $cert $status $subject $serial]

 

set locality "Warszawa"

 

set count [SSL::cert count]

 

session add ssl [SSL::sessionid] $values 3600

 

log "Client handshake status: $status, serial number: $serial"

 

log "subject: $subject"

 

log "issuer: $issuer"

 

log "count: $count"

 

HTTP::release

 

}

 

 

In this section I store subject and issuer variables (I can see them in the log file)

 

the next context in my script is:

 

 

when HTTP_REQUEST {

 

if {[HTTP::uri] starts_with "/pattern/" } {

 

set cert [SSL::cert 1]

 

set status [X509::verify_cert_error_string [SSL::verify_result]]

 

log "status jest: $status"

 

set subject [X509::subject $cert]

 

set serial [X509::serial_number $cert]

 

set issuer [X509::issuer $cert]

 

set values [list $cert $status $subject $serial]

 

set locality "Warszawa"

 

set count [SSL::cert count]

 

session add ssl [SSL::sessionid] $values 3600

 

log "Client handshake status: $status, serial number: $serial"

 

log "subject: $subject"

 

log "issuer: $issuer"

 

log "count: $count" ..... (!)

 

 

I have an error related to the line set subject [X509::subject $cert] and I cannot read previously stored variables such as subject. I thought that the script is running line by line.. what is wrong? hot to use the variables stored in the previous context ???
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 19, 2007
    Are you getting the TCL error from the CLIENTSSL_CLIENTCERT event, where you set the subject variable, or the HTTP_REQUEST event? I would guess the latter event. You're setting the cert variable to the second cert in the request. Are there two certs? What do you see for the log statement with [SSL::cert count]?

     

     

    Can you post the full logs from the rule for a single connection/request when you get an error?

     

     

    Thanks,

     

    Aaron
  • Leszek_Majewsk1's avatar
    Leszek_Majewsk1
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2007
    Hi,

     

     

    I tried also with cert 0:

     

     

    when HTTP_REQUEST {

     

    if {[HTTP::uri] starts_with "/pattern/" } {

     

    set cert [SSL::cert 0]

     

    set status [X509::verify_cert_error_string [SSL::verify_result]]

     

    log "status jest: $status"

     

    set subject [X509::subject $cert]

     

    set serial [X509::serial_number $cert]

     

    set issuer [X509::issuer $cert]

     

    set values [list $cert $status $subject $serial]

     

    set locality "Warszawa"

     

    set count [SSL::cert count]

     

    session add ssl [SSL::sessionid] $values 3600

     

    log "Client handshake status: $status, serial number: $serial"

     

    log "subject: $subject"

     

    log "issuer: $issuer"

     

    log "count: $count" ..... (!)

     

     

    the log is:

     

     

    Fri Nov 16 16:43:29 CET 2007 tmm tmm[983] 01220002 Rule Polcard_1.3 CLIENTSSL_CLIENTCERT: count: 2

     

    Fri Nov 16 16:43:30 CET 2007 tmm tmm[983] 01220002 Rule Polcard_1.3 HTTP_REQUEST: status jest: ok

     

    Fri Nov 16 16:43:30 CET 2007 tmm tmm[983] 01220001 TCL error: Rule Polcard_1.3 HTTP_REQUEST - while executing X509::subject $cert=

     

     

    regards,
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 19, 2007
    The error seems odd... the setting of the variable looks fine. Checking SOL5171 (Click here) and this post (Click here), and this codeshare example (Click here), I don't see a problem. What version are you running?

     

     

    Anyone else have ideas?

     

     

    Aaron
  • Stanley_Leszczy's avatar
    Stanley_Leszczy
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2008
    I contacted support about this exact issue and they said SOL5171 is wrong and needs to be updated. They are currently researching. If interested I wrote an iRule that seems to be working (at least for our applications):

     

     

    when CLIENTSSL_CLIENTCERT {

     

    set cert [SSL::cert 0]

     

    session add ssl [SSL::sessionid] $cert 600

     

    }

     

    when HTTP_REQUEST {

     

    set client_cert [session lookup ssl [SSL::sessionid]]

     

    if { $client_cert eq ""} {

     

    SSL::renegotiate

     

    } else {

     

    HTTP::header insert X-Subject [X509::subject $client_cert]

     

    }

     

    }
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 11, 2008
    Hi leszcs,

     

     

    I've heard a few people say that the local variables they set in CLIENTSSL_CLIENTCERT aren't available in subsequent events. Did F5 support address this? I'm curious to see what they say.

     

     

    Thanks,

     

    Aaron