Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
May 30, 2013

erros in ltm log

Hi,

 

BigIp Version 10.x

 

I,ve everyday a lot of errors in the ltm log.

 

Errors like this:

 

May 30 19:22:59 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 19:27:49 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 19:28:25 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 19:39:36 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 20:26:54 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 20:52:09 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 20:52:10 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 21:13:23 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 21:13:38 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - wrong args: should be "session lookup ssl " while executing "session lookup ssl [SSL::sessionid]"

 

May 30 21:15:23 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

 

May 30 21:15:32 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - wrong args: should be "session lookup ssl " while executing "session lookup ssl [SSL::sessionid]"

 

 

 

 

 

Irule used:

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set status [X509::verify_cert_error_string [SSL::verify_result]]

 

set subject [X509::subject $cert]

 

set serial [X509::serial_number $cert]

 

set values [list $cert $status $subject $serial]

 

session add ssl [SSL::sessionid] $values 1800

 

}

 

when HTTP_REQUEST {

 

set values [session lookup ssl [SSL::sessionid]]

 

if { [lindex $values 1] equals "ok" } {"

 

HTTP::header insert ClientSSL_subject [lindex $values 2]

 

HTTP::header insert ClientSSL_serial [lindex $values 3]

 

pool dakota

 

HTTP::header remove "If-Modified-Since"

 

} elseif { [lindex $values 1] equals "" } {

 

HTTP::redirect "https://sslerro.xx.xx/errors/nocert.htm"

 

SSL::session invalidate

 

} else {

 

HTTP::redirect "https://sslerror.xx.xx/errors/cert_error.htm"

 

SSL::session invalidate

 

}

 

}

 

 

I know something has changed within version 10 (https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_10_1_0_ltm.html)

 

SSL::cert iRule commands (CR116806)

 

 

Any ideas to avoid the errors in the ltml log?

 

 

Dirk

 

 

 

 

application delivery
dev
devops
iRules

7 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 01, 2013
    set status [X509::verify_cert_error_string [SSL::verify_result]]can you try to log this variable (e.g. log local0. "status = $status")?
  • Dirk_Laan_18877's avatar
    Dirk_Laan_18877
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2013

    log local0. "ClientSSl_Client handshake status: $status"

     

    May 31 15:25:57 local/tmm info tmm[5277]: Rule ssl_client_rule : ClientSSl_Client handshake status: ok

     

     

     

     

    I can simulate this error.

     

    Jun 3 14:57:40 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - while executing "X509::subject $cert"

     

     

    When the Virtual Server is requesting the client cert, instead of clicking OK, I click on cancel then the error is logged in ltm.

     

     

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 03, 2013
    I can simulate this error.

     

     

    When the Virtual Server is requesting the client cert, instead of clicking OK I click on cancel.in that case, may we check number of certificate (i.e. SSL::cert count) before proceeding?

     

     

    SSL::cert wiki

     

    https://devcentral.f5.com/wiki/irules.SSL__cert.ashx
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 03, 2013
    i think there are 2 errors. one is "while executing "X509::subject $cert" which can be avoid by checking SSL::cert count.

     

     

    the other one is "while executing session lookup ssl [SSL::sessionid]" which i understand SSL::sessionid returns null. in this case, you may also have to check if SSL::sessionid is null before preceeding.

     

     

    SSL::sessionid

     

     

    Returns the current connection's SSL session ID if it exists in the session cache.

     

    In version 10.x and higher, if the session ID does not exist in the cache, returns a null string.

     

    SSL::sessionid wiki

     

    https://devcentral.f5.com/wiki/irules.ssl__sessionid.ashx
  • Dirk_Laan_18877's avatar
    Dirk_Laan_18877
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2013

    Can you show what the new Irule should look like with these parameters (SSL::cert count and SSL::sessionid) ?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2013
    i think about it again and since SS::cert is applied to lifetime of ssl session. so, i do not think session table is needed.

    SSL::cert wiki

    https://devcentral.f5.com/wiki/irules.SSL__cert.ashx

    therefore, what about something like this? 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "caroot.crt"
   client cert ca "default.crt"
   peer cert mode require
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  if { [X509::verify_cert_error_string [SSL::verify_result]] eq "ok" } {
    HTTP::header insert ClientSSL_subject [X509::subject [SSL::cert 0]]
    HTTP::header insert ClientSSL_serial [X509::serial_number [SSL::cert 0]]
    HTTP::header remove "If-Modified-Since"
  }  else {
     do something
  }
}
}

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(33858) <-> 172.28.19.252(443)
1 1  1370373595.5790 (0.0247)  C>S SSLv2 compatible client hello
1 2  1370373595.5791 (0.0000)  S>CV3.1(49)  Handshake
1 3  1370373595.5791 (0.0000)  S>CV3.1(953)  Handshake
1 4  1370373595.5791 (0.0000)  S>CV3.1(165)  Handshake
1 5  1370373595.5791 (0.0000)  S>CV3.1(4)  Handshake
1 6  1370373595.7061 (0.1270)  C>SV3.1(1489)  Handshake
1 7  1370373595.7061 (0.0000)  C>SV3.1(262)  Handshake
1 8  1370373595.7061 (0.0000)  C>SV3.1(518)  Handshake
1 9  1370373595.7061 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1370373595.7061 (0.0000)  C>SV3.1(36)  Handshake
1 11 1370373595.7284 (0.0222)  S>CV3.1(1)  ChangeCipherSpec
1 12 1370373595.7284 (0.0000)  S>CV3.1(36)  Handshake
1 13 1370373595.7302 (0.0017)  C>SV3.1(176)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.252
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(33858) <-> 200.200.200.101(80)
1370373595.7320 (0.0013)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*
ClientSSL_subject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientSSL_serial: 01

---------------------------------------------------------------