SSL Certificate iRule with Hudfilter error

Question

Hello I have a virtual server with ssl profile and one iRule to authenticate through SSL Cert when certain link is selected (i used one example found in devcentral).
&nbsp;You can find the iRule in the attached file.&nbsp;
&nbsp;I get this error continiously: &nbsp;&nbsp;
&nbsp;Apr 20 09:02:38 local/tmm3 err tmm3[3085]: 01220001:3: TCL error: SSL_CARD - Error: SSL hudfilter not reached or not in chain (line 1) invoked from within "SSL::cert count" peer expression (line 3) invoked from within "clientside { HTTP::header remove "WL-Proxy-Client-Cert" if { [SSL::cert count] &gt; 0 } { HTTP::header insert "WL-Proxy-Client-Cert "..." &nbsp;
&nbsp;Apr 20 09:02:40 local/tmm1 err tmm1[3083]: 01220001:3: TCL error: SSL_CARD - Error: SSL hudfilter not reached or not in chain (line 1) invoked from within "SSL::cert count" peer expression (line 3) invoked from within "clientside { HTTP::header remove "WL-Proxy-Client-Cert" if { [SSL::cert count] &gt; 0 } { HTTP::header insert "WL-Proxy-Client-Cert "..." &nbsp;
&nbsp;Apr 20 09:02:43 local/tmm err tmm[3082]: 01220001:3: TCL error: SSL_CARD - Error: SSL hudfilter not reached or not in chain (line 1) invoked from within "SSL::cert count" peer expression (line 3) invoked from within "clientside { HTTP::header remove "WL-Proxy-Client-Cert" if { [SSL::cert count] &gt; 0 } { HTTP::header insert "WL-Proxy-Client-Cert "..." I'm absolutely lost Thank you

hooleylist · Answer

Hi Manuel, 
&nbsp;  
&nbsp; Do you have "non-SSL" enabled on the client SSL profile attached to the virtual server?  Are you able to reproduce the error when testing to the VIP?  If so, are you making an HTTPS request? 
&nbsp;  
&nbsp; Aaron

soymanue · Answer

Hello 
&nbsp; Non-SSL is disable. 
&nbsp; I'm not sure if the request is not SSL,  because the connections that are producing these events come from external custumers. 
&nbsp; Anyway, we are not publishing non-SSL services. There is a virtual server that redirects http to https. 
&nbsp; Once you are connected to the ssl service with a certificate by Verisign, you may authenticate with user and password or choose an option of Certificate Authentication. This certificate is different, comes inside the Identity Card that our government issues. &nbsp;

hooleylist · Answer

The error seems to indicate that a client has made a non-SSL connection to the SSL enabled VIP (like http://1.1.1.1:443/ where 1.1.1.1 is the VIP).  I'm not sure what would cause this error if you don't have non-SSL allowed on the client SSL profile.  You could try opening a case with F5 Support to get help troubleshooting this. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

SSL Certificate iRule with Hudfilter error

3 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Bypass certificate check

BIG-IQ Certificate

APM Certification Study Guides

iRule to Insert Client Cert into HTTP Header only when Certificate is from certain Root CA

SSL certificate export greyed out !