Cirrusirule clientssl_clientcert log
Hi,
I creating an irule to do clientssl handling.
Everything works fine, but as always in some cases it doesn't work.
That is the reason why we all add debug options in scripts.
But for some reason when doing log option under CLIENTSSL_CLIENTCERT it only log the first log rule.
Even if there are no conditions to log (by just make two log rows) it only displays the first.
When commenting out the first row it logs the second??????
The LTM version we are running 14.1.2.2 but had the same issue in 13.1.1.2
Am I doing something wrong?
Example:
These are the two lines:
log "Client Certificate received: $subject_dn, [IP::client_addr]"
log "BLAAT"
Many thanks in advance
when CLIENTSSL_CLIENTCERT {
SSL::collect
if {[SSL::cert count] > 0}
{
set subject_dn [X509::subject [SSL::cert 0]]
set cert_date [X509::not_valid_after [SSL::cert 0]]
if {($cert_date < $static::today)}
{
log "ERROR: Certificate $subject_dn EXPIRED, END-Date $cert_date" }
if { $subject_dn != "" }
{
log "Client Certificate received: $subject_dn, [IP::client_addr]"
log "BLAAT"
# if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" }
#set C [string range [lindex [X509::subject [SSL::cert 0]] 0] 2 end-1]
set cn [string range [findstr [X509::subject [SSL::cert 0]] "CN=" ] 3 end]
set cn [string map {"*" "ster"} $cn]
set cn [string map {" " "_"} $cn]
set dg "t-DG_$cn"
set dg_ip "t-DGIP_$cn"
if {[class match [IP::client_addr] equals $dg_ip] }
{
if { $static::otudebug } { log "DataGroup IP Match, [IP::client_addr]" }
}
else {
log "ERROR: [IP::client_addr] NO IP MATCH in $dg_ip"
reject
}
if {[class match $uri starts_with $dg] }
{
if { $static::otudebug } { log "DataGroup URI Match, [IP::client_addr]" }
}
else {
log "ERROR: [IP::client_addr] NO URI MATCH in $dg for $cn"
reject
}
}
}
else {
log "Client Certificate NOT FOUND, [IP::client_addr]"
reject
}
if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" }
}
