Writing Client-Cert info into Header - irule with strange behavior

Question

Hi,
I have an inherited a BIG-IP and I'm facing a problem with an irule that is implemented there.
The important part is this:
   when HTTP_REQUEST priority 200 {
    ...
     create HTTP headers with ssl cert infos
    set dn [ X509::issuer $cert ]
     Split DN into Parts
    set parts [ split $dn {,} ]
     Fill array with the different parts (O=, OU=, ...)
    foreach part $parts {
      set thispart [ split $part {=} ]

if { [ llength $thispart ] == 2 } {
        set dnparts([lindex $thispart 0 ]) [ lindex $thispart 1 ]
      }
   }
    Insert the neccessary headers from the DN
   HTTP::header insert "SSL_CLIENT_I_DN"           $dn
   foreach {part myvar} {
     {C}       {SSL_CLIENT_I_DN_C}
     {CN}      {SSL_CLIENT_I_DN_CN}
     {O}       {SSL_CLIENT_I_DN_O}
     {OU}      {SSL_CLIENT_I_DN_OU}
   } {
     if { [info exists dnparts($part) ] } {
       HTTP::header insert "$myvar" "$dnparts($part)"
     }
  }

So - the irule should read the issuer information and put it in such a format into HTTP headers:
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN 
SSL_CLIENT_I_DN_C: DE
SSL_CLIENT_I_DN_CN: Test-CN
SSL_CLIENT_I_DN_O: Test-Organisation
SSL_CLIENT_I_DN_OU: Test-OU

Now the application admin reported, that these headers are not sent properly. I activated a logging irule and I can see that for some requests (it seems the initial ones) the format is OK. But for the requests later, the behavior changes. In the log I can only see the first 2 lines repeating constantly:
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN 
SSL_CLIENT_I_DN_C: DE
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN 
SSL_CLIENT_I_DN_C: DE
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN 
SSL_CLIENT_I_DN_C: DE

As mentioned, I've inherited this irule from the prior admin and I'm not that deep into TCL. For me, the rule is performed on every HTTP-Request from scratch, so there shouldn't be any difference in the behavior.

Any ideas? 🙂

nathe · Answer

Do you have oneconnect enabled on the VIP? See https://support.f5.com/csp/article/K7208. With oneconnect "the BIG-IP system is able to process each HTTP request individually"&nbsp;

anesh · Answer

Try the below code:&nbsp;set parts [ split $dn {,} ]

set country [lindex $parts 0]
set x [string range $country 2 end]
HTTP::header insert "SSL_CLIENT_I_DN_C" $x

set org  [lindex $parts 1]
set y [string range $org 2 end]
HTTP::header insert "SSL_CLIENT_I_DN_O" $y

set unit [lindex $parts 2]
set z [string range $unit 3 end]
HTTP::header insert "SSL_CLIENT_I_DN_OU" $z

set cname [lindex $parts 3]
set a [string range $cname 3 end]
HTTP::header insert "SSL_CLIENT_I_DN_CN" $a

HTTP::header insert "SSL_CLIENT_I_DN" $dn

am_gli · Answer

No, none applied.&nbsp;

nathe · Answer

I would certainly test this, perhaps using the  255.255.255 255 mask. &nbsp;

am_gli · Answer

Figured it out - it was an issue with the space behind the comma.
So "SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN" was split to an array but, with leading spaces: 
"C|AT"  
" O|Test...."  
" OU|Test..."  
etc.

So in this part:
foreach {part myvar} {
     {C}       {SSL_CLIENT_I_DN_C}
     {CN}      {SSL_CLIENT_I_DN_CN}
     {O}       {SSL_CLIENT_I_DN_O}
     {OU}      {SSL_CLIENT_I_DN_OU}

the only line that was readable from the array was C, all other didn't match because of the space.

Forum Discussion

Writing Client-Cert info into Header - irule with strange behavior

6 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Related Content

Hey ChatGPT, can you write iRules?

Passing Client CAC / Smart Card Cert to Application Server

Behavior of outbound DNS query from LTM behavior

AI Safety: Navigating Deception, Emergent Goals, and Power-seeking Behaviors

Selective Client Cert Authentication