Forum Discussion

Dirk_Laan_18877's avatar
Dirk_Laan_18877
Icon for Nimbostratus rankNimbostratus
May 30, 2013

erros in ltm log

Hi,   BigIp Version 10.x   I,ve everyday a lot of errors in the ltm log.   Errors like this:   May 30 19:22:59 local/tmm err tmm[5277]: 01220001:3: TCL error: ssl_client_rule - whi...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jun 04, 2013
i think about it again and since SS::cert is applied to lifetime of ssl session. so, i do not think session table is needed.

SSL::cert wiki

https://devcentral.f5.com/wiki/irules.SSL__cert.ashx

therefore, what about something like this? 

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:443
   ip protocol 6
   rules myrule
   profiles {
      http {}
      myclientssl {
         clientside
      }
      tcp {}
   }
}
[root@ve10:Active] config  b profile myclientssl list
profile clientssl myclientssl {
   defaults from clientssl
   ca file "caroot.crt"
   client cert ca "default.crt"
   peer cert mode require
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
  if { [X509::verify_cert_error_string [SSL::verify_result]] eq "ok" } {
    HTTP::header insert ClientSSL_subject [X509::subject [SSL::cert 0]]
    HTTP::header insert ClientSSL_serial [X509::serial_number [SSL::cert 0]]
    HTTP::header remove "If-Modified-Since"
  }  else {
     do something
  }
}
}

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(33858) <-> 172.28.19.252(443)
1 1  1370373595.5790 (0.0247)  C>S SSLv2 compatible client hello
1 2  1370373595.5791 (0.0000)  S>CV3.1(49)  Handshake
1 3  1370373595.5791 (0.0000)  S>CV3.1(953)  Handshake
1 4  1370373595.5791 (0.0000)  S>CV3.1(165)  Handshake
1 5  1370373595.5791 (0.0000)  S>CV3.1(4)  Handshake
1 6  1370373595.7061 (0.1270)  C>SV3.1(1489)  Handshake
1 7  1370373595.7061 (0.0000)  C>SV3.1(262)  Handshake
1 8  1370373595.7061 (0.0000)  C>SV3.1(518)  Handshake
1 9  1370373595.7061 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 10 1370373595.7061 (0.0000)  C>SV3.1(36)  Handshake
1 11 1370373595.7284 (0.0222)  S>CV3.1(1)  ChangeCipherSpec
1 12 1370373595.7284 (0.0000)  S>CV3.1(36)  Handshake
1 13 1370373595.7302 (0.0017)  C>SV3.1(176)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.252
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(33858) <-> 200.200.200.101(80)
1370373595.7320 (0.0013)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*
ClientSSL_subject: CN=client1.acme.com,OU=IT,O=Acme Ltd,L=Seattle,ST=WA,C=US
ClientSSL_serial: 01

---------------------------------------------------------------