Forum Discussion

Salvador_del_Re's avatar
Salvador_del_Re
Historic F5 Account
Feb 27, 2008

Client ssl

I want use a clientssl profile for some IP address and another clientssl profile for another range of IP adress.

 

Try to make a iRule and dont run.

 

Any ideas?

 

Thanks
application delivery
dev
devops
iRules
  • Salvador_del_Re's avatar
    Salvador_del_Re
    Historic F5 Account
    Feb 27, 2008
    profile clientssl uno_prof {

     

    defaults from clientssl

     

    key "uno.key"

     

    cert "uno.crt"

     

    }

     

     

    profile clientssl dos_prof {

     

    defaults from clientssl

     

    key "dos.key"

     

    cert "dos.crt"

     

    }

     

     

    virtual vs_https {

     

    snat automap

     

    pool http_pool

     

    destination 172.16.6.102:https

     

    ip protocol tcp

     

    rules certificado

     

    profiles

     

    tcp

     

    test-cert

     

    }

     

    when CLIENT_ACCEPTED {

     

    set certuno uno_prof

     

    set certdos dos_prof

     

    log "certificado uno $certuno certif2 $certdos"

     

    PROFILE::clientssl [$certuno]

     

    }

     

     

     

     

    Error

     

     

    Feb 27 13:47:55 tmm tmm[1675]: 01220002:6: Rule certificado : certificado uno uno_prof certif2 dos_prof

     

    Feb 27 13:47:55 tmm tmm[1675]: 01220001:3: TCL error: certificado - invalid command name "uno_prof" while executing "$certuno"

     

     

  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Feb 27, 2008
    Remove your [] around [$certuno] ^^

     

     

    Moreover i don't think that will do what you want.

     

     

    If you check the wikis it is used to retrieve value and not set new one:

     

     

    example: when HTTP_REQUEST {

     

    set resultat [PROFILE::clientssl key]

     

    log local0. "res: $resultat"

     

    }

     

     

    it will return the key used for the ssl transaction

     

     

    You need to use the command SSL::profile name_of_your_profile

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__profile.html

     

     

    HTH

     

     

  • Salvador_del_Re's avatar
    Salvador_del_Re
    Historic F5 Account
    Feb 28, 2008
    Finally make the next iRule and my problem it´s resolved.

     

     

    Thanks a lot

     

     

    when CLIENT_ACCEPTED {

     

    if { [matchclass [IP::client_addr] equals $::Direcciones_internas]

     

    }

     

    {

     

    SSL::profile uno_prof

     

    }

     

    else

     

    {

     

    SSL::profile dos_prof

     

    }

     

    }

     

     

     

     

     

    virtual vs_https {

     

    snat automap

     

    pool http_pool

     

    destination 172.16.6.102:https

     

    ip protocol tcp

     

    rules certificado

     

    profiles

     

    clientssl

     

    tcp

     

    }

     

     

     

     

     

    profile clientssl uno_prof {

     

    defaults from clientssl

     

    key "uno.key"

     

    cert "uno.crt"

     

    }

     

     

     

    }

     

    profile clientssl dos_prof {

     

    defaults from clientssl

     

    key "dos.key"

     

    cert "dos.crt"

     

    }

     

     

    }

     

    class Direcciones_internas {

     

    network 172.16.0.0/16

     

    networks 10.10.6.0/24

     

    networks 192.168.6.0/24

     

    }