Forum Discussion

Albert__Tase_70's avatar
Albert__Tase_70
Icon for Nimbostratus rankNimbostratus
Dec 09, 2009

ssl cer pass through rule

I am getting the following error messages with the irule below :

 

 

Wed Dec 9 13:26:24 EST 2009 tmm tmm[1608] 01220001 TCL error: client_cer_pass_thre_2 CLIENTSSL_CLIENTCERT - while executing X509::serial_number $cert

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set sn [X509::serial_number $cert]

 

set subject [X509::subject $cert]

 

set issuer [X509::issuer $cert]

 

set version [X509::version $cert]

 

session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800

 

}

 

 

when HTTP_REQUEST {

 

set values [session lookup uie [SSL::sessionid] ]

 

if { [lindex $values 0] != "" } {

 

HTTP::header insert XClientSSL_Serial [lindex $values 0]

 

log local0. "Inserting Serial [lindex $values 0]"

 

 

HTTP::header insert XClientSSL_Issuer [lindex $values 1]

 

log local0. "Inserting Issuer [lindex $values 1]"

 

 

HTTP::header insert XClientSSL_Subject [lindex $values 2]

 

log local0. "Inserting Subject [lindex $values 2]"

 

 

HTTP::header insert XVersion [lindex $values 3]

 

log local0. "Inserting Version [lindex $values 3]"

 

}

 

}

 

 

 

Can some one please help I am trying to pass th ecert information through to the server.

 

 

 

 

Thanks

 

 

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 09, 2009
    Hi Al,

    I'd guess the client isn't actually presenting a cert and so there isn't valid output from the first X509 command. Can you log the string length of $cert when the error occurs? Or if you're not able to reproduce the error at will, you could add logic to prevent the issue from happening: 

     
 when CLIENTSSL_CLIENTCERT { 
  
     Check if the cert output isn't null 
    if {[SSL::cert 0] ne ""}{ 
  
       set cert [SSL::cert 0] 
       set sn [X509::serial_number $cert] 
       set subject [X509::subject $cert] 
       set issuer [X509::issuer $cert] 
       set version [X509::version $cert] 
       session add uie [SSL::sessionid] [list $sn $issuer $subject $version] 1800 
    } 
 }

    Aaron