Forum Discussion
ClientSSL_clientCert variables not avail in HTTP_Request
Hi All,
I am working on an iRule that inserts the client certificate issuer and subject fields as a header for a terminated application. The following rule passes syntax checking, thou I see the logged output from the clientssl event, the log statement from the http_request even shows the certData variable as being null. Any reason why I can't access local variable created in clientssl_clientcert event.
Thanks for your help.
Anthony
when CLIENTSSL_CLIENTCERT {
set certData "[X509::issuer [SSL::cert 0]], [X509::subject [SSL::cert 0]]"
log local0. "CertData is $certData"
}
when HTTP_REQUEST {
log local0. "CertData is $certData"
if { [string length $certData] > 2 } {
HTTP::header insert x-fvb2bs-client-cert $certData
log local0. "Client [IP::remote_addr] had certificate $certData"}
pool fvb2bs-443-p-mko
}Excerpt from ltm logfile:
Oct 12 09:26:39 tmm tmm[11163]: Rule fvb2bs-cert-fields-ag : CertData is /C=US/O=FMR Corp./OU=PKI Test CA, /C=US/O=FMR Corp./OU=Applications/OU=B2B/CN=fvb2bs-test-client-access.fmr.com
Oct 12 09:26:41 tmm tmm[11163]: 01220001:3: TCL error: Rule fvb2bs-cert-fields-ag - can't read "certData": no such variable while executing "log local0. "CertData is $certData""
- Have you tried setting this as a global variable?
when CLIENTSSL_CLIENTCERT { set ::certData "[X509::issuer [SSL::cert 0]], [X509::subject [SSL::cert 0]]" log local0. "CertData is $::certData" } when HTTP_REQUEST { log local0. "CertData is $::certData" if { [string length $::certData] > 2 } { HTTP::header insert x-fvb2bs-client-cert $::certData log local0. "Client [IP::remote_addr] had certificate $::certData" } pool fvb2bs-443-p-mko }
Colin - Hi Colin,
Setting certData as a global variable does work. It is my understanding that local variables are shared between the different events for a given virtual. Is this not the case?
Is the CLIENTSSL_CLIENTCERT event in a different namespace?
If I use global variables are they only available with-in the given virtual or "globally" across the device?
Thanks.
Anthony - Hi Anthony -
It's my understanding that local variables are supposed to be shared across events without exception. I am not aware of any events operating in separate namespace, and I can't imagine the logic that might support an exception in this case...
Global variables are available across the device, so different variable names in different iRules may be required if you don't intend to share that value across iRules.
I don't think setting a global variable will work in this case, as each new client connection will update the global variable, which will result in using the last connection's cert info for each HTTP request.
/deb - BTW, It's likely that you are getting the HTTP_REQUEST event before the CLIENTSSL_CLIENTCERT event.
- AaronJB
SIRT
I don't think setting a global variable will work in this case, as each new client connection will update the global variable, which will result in using the last connection's cert info for each HTTP request.
Indeed - I think it's best to serialise the cert data into the session table with a "session add " (I think that's the right parameters from memory), and then look the data up in the HTTP_REQUEST event.
I think the CLIENTSSL_CLIENTCERT event will only be triggered once per initial SSL negotiation (so SSL resumes won't fire it), so you only populate the session table once per client. 
Steve_Rice_8783Nimbostratus
gerace - could you post your final irule? I am working on the same thing and have the blank cert info when my HTTPS_REQUEST is hit.
Thanks
Steve
