For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_Jernigan_'s avatar
Jason_Jernigan_
Icon for Nimbostratus rankNimbostratus
Mar 06, 2006

Client SSL Insert

I've got a site using client SSL cert inserted to the header for authentication with the backend web server. The irule is as follows.     when CLIENTSSL_CLIENTCERT {   if { [SSL::cert cou...
application delivery
dev
devops
iRules
Michael_Voight_'s avatar
Michael_Voight_
Historic F5 Account
Mar 17, 2006
CR56247 is included in 9.1.1 (as noted in the CR, "Fixed in 9.1.1.54.0". This is the released 9.1.1)

 

 

CR26247 also seems to be an issue with the response being NOT FOUND, which doesn't seem to match this problem

 

 

I own the subcase for this customer and it looks like the problem is related to the parsing of the expression.

 

It looks like the Session ID is being interpreted as a command.

 

 

Mar 16 14:23:47 tmm tmm[778]: 01220001:3: TCL error: Rule Cert_Update_Incert_log - invalid command name "99f96f36f6ef44a696e8bc06af9a9ea15846f1c703d755323d428e38b6718a85" while executing "[SSL::sessionid] any"

 

Mar 16 14:23:47 tmm tmm[778]: 01220002:6: Rule Cert_Update_Incert_log : http_request sessionid= + 99f96f36f6ef44a696e8bc06af9a9ea15846f1c703d755323d428e38b6718a85

 

Mar 16 14:23:47 tmm tmm[778]: 01220001:3: TCL error: Rule Cert_Update_Incert_log - invalid command name "99f96f36f6ef44a696e8bc06af9a9ea15846f1c703d755323d428e38b6718a85" while executing "[SSL::sessionid] any"

 

Mar 16 14:23:47 tmm tmm[778]: 01220002:6: Rule Cert_Update_Incert_log : http_request sessionid= + 99f96f36f6ef44a696e8bc06af9a9ea15846f1c703d755323d428e38b6718a85

 

 

 

So, the question appears to be whether this is valid:

 

 

set certfields [session lookup ssl {[SSL::sessionid] any}]

 

 

 

The rule info:

 

 

rule Cert_Update_Incert_log {

 

when CLIENTSSL_CLIENTCERT {

 

log "begining"

 

log "ssl cert count = + [SSL::cert count]"

 

if { [SSL::cert count] > 0 } {

 

session add ssl [SSL::sessionid] [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole] 450

 

log "session ID: + [SSL::sessionid] + [X509::cert_fields [SSL::cert 0] [SSL::verify_result] whole]"

 

log "certfields lookup = [session lookup ssl {[SSL::sessionid] any}]"

 

}

 

}

 

 

when HTTP_REQUEST {

 

log "http_request sessionid= + [SSL::sessionid]"

 

set certfields [session lookup ssl {[SSL::sessionid] any}]

 

log "certfields before if + $certfields"

 

if { $certfields != "" } {

 

HTTP::header insert $certfields

 

}

 

log "Ending"

 

}

 

}

 

 

 

Thanks,

 

 

Michael