Forum Discussion
TLL_91858
Cirrus
CirrusError in iRule when invoking HTTP::release
I was running V10.2.4 HF3 and have upgraded to V11.2.1 HF1. I now have this iRule that won't run. It gives the following error:
- Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::release"
The purpose of the rule is to force clients who access a particular uri to change client cert from required to request in support of an old legacy java application. Any ideas why the http::release is no longer working would be apreciated.
when CLIENT_ACCEPTED {
set LogDebug 1
set session_flag 0
if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" } }
when CLIENTSSL_HANDSHAKE {
set LogDebug 1
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }
if { [SSL::cert count] > 0 } {
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }
HTTP::release
} else {
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }
}
}
when HTTP_REQUEST {
set LogDebug 1
if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }
if { [SSL::cert count] == 0 } {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }
HTTP::collect
SSL::authenticate once
SSL::authenticate depth 9
SSL::cert mode require
log local0.info "HTTP_REQUEST: when http request,now renegotiating"
set session_flag 1
SSL::renegotiate
} else {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }
}
}
log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"
}
What_Lies_Bene1Cirrostratus
I don't think the HTTP::release is required in the CLIENTSSL_HANDSHAKE event at all, seeing as you don't start collecting till after SSL has done it's thing. The error has probably occurred due to better syntax checking in v11. However, I'd suggest you add it as the last line of your rule (although a response will have the same affect.)
Frank_30530Altocumulus
I have the same issue here.
According to the Wiki, there MUST be an HTTP::release executed in some non-HTTP event to prevent the HTTP to stall indefinitely:
see HTTP::collect:
Also, if you use HTTP::collect without specifying a length, you must have some non-HTTP event (e.g. AUTH_RESULT or NAME_RESOLVED) run HTTP::release, or HTTP processing will not continue, and the collected data will be discarded when the connection times out.
How would you do this in an iRule that needs to force an SSL renegotiation (e.g., in order to obtain a client certificate?)
-Frank
nitassEmployee
i got the same error in 11.3.0.
can you open a support case to verify and get fixed?
hooleylistIf you comment out the HTTP::release does it work or just stall after the HTTP::collect?
Aaron- nitasshmm... i do not get the error when re-testing today. (= =*)
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.3.0 Build 2806.0 Edition Final Date Tue Nov 13 22:34:00 PST 2012 root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.14:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } myclientssl { context clientside } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl ltm profile client-ssl myclientssl { app-service none ca-file ca.crt defaults-from clientssl } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { set LogDebug 1 set session_flag 0 if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" } } when CLIENTSSL_HANDSHAKE { set LogDebug 1 if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" } if { [SSL::cert count] > 0 } { if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" } if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" } HTTP::release } else { if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" } } } when HTTP_REQUEST { set LogDebug 1 if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" } if { [SSL::cert count] == 0 } { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" } HTTP::collect SSL::authenticate once SSL::authenticate depth 9 SSL::cert mode require log local0.info "HTTP_REQUEST: when http request,now renegotiating" set session_flag 1 SSL::renegotiate } else { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" } } } log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag" } } client [root@centos251 ca] curl -Ik https://172.28.20.14/mis --cert client1.crt --key client1.key HTTP/1.1 404 Not Found Date: Sat, 19 Jan 2013 14:35:38 GMT Server: Apache/2.2.3 (CentOS) Content-Type: text/html; charset=iso-8859-1 ltm log [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0 Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0 Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1 Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1 Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1 Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1 - Frank_30530
I think I found it.
Apparently, if you actually check if HTTP::collect has been executed before executing HTTP::release, then it works OK.
If you execute HTTP::release and no (previous) HTTP::collect is pending, then you will get the error. Previous versions of TMOS were not so picky?
I set a variable to true ($collecting) at HTTP::collect and verify if $collecting is true before I do the HTTP::release in CLIENTSSL_HANDSHAKE.
With best regards,
-Frank
- Frank_30530@Nitass: I.e., your code will work with a single CURL request. You run into problems when you start a new TCP connection using the same SSL session where previously a client certificate was send. In that case your code will execute HTTP::release while no previous HTTP::collect was executed.
Can you verify?
-Frank - nitassyour code will work with a single CURL request.oh yes. thanks, i was blur.
You run into problems when you start a new TCP connection using the same SSL session where previously a client certificate was send. In that case your code will execute HTTP::release while no previous HTTP::collect was executed. not sure if i did anything wrong. SSL::cert count is still 0 even using previous ssl session id.[root@ve11a:Active:Changes Pending] config tmsh list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { set LogDebug 1 set session_flag 0 log local0. "-" log local0. "client [IP::client_addr]:[TCP::client_port]" if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" } } when CLIENTSSL_HANDSHAKE { set LogDebug 1 log local0. "sessionid [SSL::sessionid]" if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" } if { [SSL::cert count] > 0 } { if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" } if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" } log local0. "HTTP::release" HTTP::release } else { if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" } } } when HTTP_REQUEST { set LogDebug 1 if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" } if { [SSL::cert count] == 0 } { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" } HTTP::collect SSL::authenticate once SSL::authenticate depth 9 SSL::cert mode require log local0.info "HTTP_REQUEST: when http request,now renegotiating" set session_flag 1 SSL::renegotiate } else { if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" } } } log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag" } } client monitor 1 echo -e "GET /mis HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -cert /var/tmp/client1.crt -key /var/tmp/client1.key -quiet -sess_out /var/tmp/new.sess depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain verify return:1 depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain verify return:1 HTTP/1.1 200 OK Date: Mon, 21 Jan 2013 13:34:26 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Mon, 21 Jan 2013 13:14:42 GMT ETag: "418411-59-3e7cd480" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 This is 101 host. read:errno=0 client monitor 2 echo -e "GET / HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -quiet -sess_in /var/tmp/new.sess HTTP/1.1 200 OK Date: Mon, 21 Jan 2013 13:34:27 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT ETag: "4183f3-59-f28f94c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 This is 101 host. read:errno=0 /var/log/ltm [root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : - Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : client 172.28.66.39:51327 Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0 Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0 Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1 Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc033c5a00cadc9da6fc0f0c003a482d34cc76edf60b30130a50b Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1 Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1 Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1 Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP::release Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : - Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : client 172.28.66.39:51328 Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0 Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0 Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 0 ^C