Forum Discussion
TLL_91858
Cirrus
CirrusError in iRule when invoking HTTP::release
I was running V10.2.4 HF3 and have upgraded to V11.2.1 HF1. I now have this iRule that won't run. It gives the following error:
- Illegal argument. Can't execute in the current context. (line ...
nitass
Employee
Employeeyour code will work with a single CURL request.oh yes. thanks, i was blur.
You run into problems when you start a new TCP connection using the same SSL session where previously a client certificate was send. In that case your code will execute HTTP::release while no previous HTTP::collect was executed. not sure if i did anything wrong. SSL::cert count is still 0 even using previous ssl session id.
[root@ve11a:Active:Changes Pending] config tmsh list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
set LogDebug 1
set session_flag 0
log local0. "-"
log local0. "client [IP::client_addr]:[TCP::client_port]"
if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" }
}
when CLIENTSSL_HANDSHAKE {
set LogDebug 1
log local0. "sessionid [SSL::sessionid]"
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }
if { [SSL::cert count] > 0 } {
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }
log local0. "HTTP::release"
HTTP::release
} else {
if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }
}
}
when HTTP_REQUEST {
set LogDebug 1
if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }
if { [SSL::cert count] == 0 } {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }
HTTP::collect
SSL::authenticate once
SSL::authenticate depth 9
SSL::cert mode require
log local0.info "HTTP_REQUEST: when http request,now renegotiating"
set session_flag 1
SSL::renegotiate
} else {
if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }
}
}
log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"
}
}
client monitor 1
echo -e "GET /mis HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -cert /var/tmp/client1.crt -key /var/tmp/client1.key -quiet -sess_out /var/tmp/new.sess
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify return:1
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2013 13:34:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 21 Jan 2013 13:14:42 GMT
ETag: "418411-59-3e7cd480"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
This is 101 host.
read:errno=0
client monitor 2
echo -e "GET / HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -quiet -sess_in /var/tmp/new.sess
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2013 13:34:27 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
This is 101 host.
read:errno=0
/var/log/ltm
[root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : client 172.28.66.39:51327
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc033c5a00cadc9da6fc0f0c003a482d34cc76edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP::release
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : client 172.28.66.39:51328
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 0
^C