turo
Employee
EmployeeSSL client cert info to http header
I have problems with iRule that inserts info from ssl certificate to http header.
We need iRule to find specific line from ssl cert subject field and insert that information to http header. I made some modifications to iRule from codeshare to meet our needs.
iRule:
when CLIENTSSL_CLIENTCERT {
set time to maintain session data (in seconds)
set session_timeout 60
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
log local0. "ssl_errstr: $ssl_errstr"
set ssl_stuff [list $ssl_cert $ssl_errstr]
session add ssl [SSL::sessionid] $ssl_stuff $session_timeout
log local0. "sessionid: [SSL::sessionid]"
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
log local0. "ssl_errstr2: $ssl_errstr2"
log local0. "[X509::subject $ssl_cert2]"
set cert_info [findstr [X509::subject $ssl_cert2] "someInfo=" 9 ","]
log local0. "$cert_info"
if { $ssl_errstr2 eq "ok" } {
if {$cert_info != ""}{
log local0. "cert ok + someInfo found --> insert header"
HTTP::header insert someInfo $cert_info
log local0. "someInfo: [HTTP::header value "someInfo"]"
}
else {
log local0. "cert ok but no someInfo found --> insert empty header"
HTTP::header insert someInfo " "
log local0. "someInfo: [HTTP::header value "someInfo"]"
}
} else {
send HTTP 302 redirect to an error page
HTTP::redirect "http://www.error.com"
}
}
For some reason I got TCL errors on ltm log and client gets "connection reset" errors.
/var/log/ltm
>Aug 5 13:53:04 tmm tmm[1678]: Rule cert-http-headers-SERIAL >: ssl_errstr2:
>Aug 5 13:53:04 tmm tmm[1678]: 01220001:3: TCL error: cert-http->headers-SERIAL - while executing "X509::subject >$ssl_cert2"
>Aug 5 13:53:21 tmm tmm[1678]: Rule cert-http-headers-SERIAL >: ssl_errstr2:
>Aug 5 13:53:21 tmm tmm[1678]: 01220001:3: TCL error: cert-http->headers-SERIAL - while executing "X509::subject >$ssl_cert2"
Any ideas what is causing these TCL errors?
-turo