Client SSL Insert

Question

I've got a site using client SSL cert inserted to the header for authentication with the backend web server. The irule is as follows.&nbsp;
&nbsp;  when CLIENTSSL_CLIENTCERT {
&nbsp;  if { [SSL::cert count] &gt; 0 } {
&nbsp;    session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] 450
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;  set certfields [session lookup ssl [SSL::sessionid]]
&nbsp;  if { $certfields != "" } {
&nbsp;    HTTP::header insert $certfields
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;This is followed by another irule that chooses which pool based on active members. This inserting of the header works fine when the pool that is choosen in the next irule is the same as the default pool that is listed for the virtual server.  However if it chooses another pool then the session lookup fails? Any help would be greatly appreciated. 
&nbsp;Thanks,
&nbsp;Jason

jason_jernigan_ · Answer

I added some logging to figure out what was going on. Below is the irule with the logging enabled. &nbsp;
&nbsp;when CLIENTSSL_CLIENTCERT {
&nbsp;log "begining"
&nbsp;  log "ssl cert count =  + [SSL::cert count]"
&nbsp;  if { [SSL::cert count] &gt; 0 } {
&nbsp;    session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] 450
&nbsp;    log "session ID:  + [SSL::sessionid] +  [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole]"
&nbsp;    log "certfields lookup = [session lookup ssl [SSL::sessionid]]"
&nbsp;  }
&nbsp;}
&nbsp; 
&nbsp; 
&nbsp;when HTTP_REQUEST {
&nbsp;  log "http_request sessionid= + [SSL::sessionid]"
&nbsp;  set certfields [session lookup ssl [SSL::sessionid]]
&nbsp;  log "certfields before if  + $certfields"
&nbsp;  if { $certfields != "" } {
&nbsp;    HTTP::header insert $certfields
&nbsp;  }
&nbsp;log "Ending"
&nbsp;}&nbsp;
&nbsp;Attached are the logs that this irule produced. The section of logs labeled incorrect is when the default pool was not the same pool that the next irule chose. You can see by looking at the logs that the session lookup command fails under the HTTP_REQUEST section but works fine in the CLIENTSSL_CLIENTCERT section.

unruley_95363 · Answer

This may sound a little bizzare, and will eventually be fixed in a future release.  The session table actually utilizes the persistence table and as a result, some of the behaviors of the persist table have made there way into how the session table behaves.  The issue that is getting you here is what's known as "persist across ...".  Since the pool is different, persistence would normally not use the entry unless persist across services or persist across pools is enabled.  Obviously, this really isn't appropriate behavior for the session table.
However, you should be able to easily work around it by changing your session lookup like so:set certfields [session lookup ssl {[SSL::sessionid] any}]
Please let us know if this corrects your problem so we can get it fixed in a future release.
Thanks!

jason_jernigan_ · Answer

Ok I changed the code to this:&nbsp;
&nbsp;when CLIENTSSL_CLIENTCERT {
&nbsp;log "begining"
&nbsp;  log "ssl cert count =  + [SSL::cert count]"
&nbsp;  if { [SSL::cert count] &gt; 0 } {
&nbsp;    session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] 450
&nbsp;    log "session ID:  + [SSL::sessionid] +  [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole]"
&nbsp;    log "certfields lookup = [session lookup ssl {[SSL::sessionid] any}]"
&nbsp;  }
&nbsp;}
&nbsp; 
&nbsp;when HTTP_REQUEST {
&nbsp;  log "http_request sessionid= + [SSL::sessionid]"
&nbsp;  set certfields [session lookup ssl {[SSL::sessionid] any}]
&nbsp;  log "certfields before if  + $certfields"
&nbsp;  if { $certfields != "" } {
&nbsp;    HTTP::header insert $certfields
&nbsp;  }
&nbsp;log "Ending"
&nbsp;}&nbsp;
&nbsp;But it appears that something is off becuase now none of the lookups are working. Including the log statement immediatly following the session add. Your help is greatly appreciated. Please see logs attached. 
&nbsp;Thanks,
&nbsp;Jason

unruley_95363 · Answer

Ok, I'll need to try to reproduce this.  What version + hotfixes are you running?

jason_jernigan_ · Answer

We are running version 9.1 with no hotfixes.
&nbsp; b version
&nbsp;Kernel:
&nbsp;Linux 2.4.21-9.1.0.3.0smp
&nbsp;Package:
&nbsp;BIG-IP Version 9.1.0 6.2
&nbsp;Final Edition&nbsp;
&nbsp;Thanks,
&nbsp;Jason

Forum Discussion

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

SSL Profiles Part 8: Client Authentication

Implementing SSL Orchestrator - Network Insertion Use Cases

Insert Client Certificate In Serverside HTTP Headers

Strict header Insertion

Security Headers Insertion