Forum Discussion
Sinan_WANG
Nimbostratus
NimbostratusHow to changer V9 iRule Insert Certificat Value in HTTP header to V10
Hi all
We update our LTM's version 9.4.7 to version 10.1.0
There have a iRule didn't worked. And I know in version 10, used table command to instead session.
I haved try to rewrite the iRule.
V9 iRule
=============================================================
when CLIENTSSL_CLIENTCERT {
session add [SSL::sessionid] [SSL::cert 0]
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set cert [session lookup $id]
HTTP::header insert SSLCLIENTCERTSUBJECT [X509::subject $cert],[X509::issuer $cert],[X509::version $cert],[X509::serial_number $cert],[X509::not_valid_before $cert],[X509::not_valid_after $cert]
HTTP::header insert issuer [X509::issuer $cert]
HTTP::header insert versionnum [X509::version $cert]
HTTP::header insert serial [X509::serial_number $cert]
HTTP::header insert not_valid_before [X509::not_valid_before $cert]
HTTP::header insert not_valid_after [X509::not_valid_after $cert]
}
==============================================================
V10
==============================================================
when CLIENTSSL_CLIENTCERT {
table set [SSL::sessionid] [SSL::cert 0]
}
when HTTP_REQUEST {
set cert [table lookup [SSL::sessionid]]
HTTP::header insert SSLCLIENTCERTSUBJECT [X509::subject $cert],[X509::issuer $cert],[X509::version $cert],[X509::serial_number $cert],[X509::not_valid_before $cert],[X509::not_valid_after $cert]
HTTP::header insert issuer [X509::issuer $cert]
HTTP::header insert versionnum [X509::version $cert]
HTTP::header insert serial [X509::serial_number $cert]
HTTP::header insert not_valid_before [X509::not_valid_before $cert]
HTTP::header insert not_valid_after [X509::not_valid_after $cert]
}
==============================================================
But there have errer in the log.
local/tmm err tmm[26191]: 01220001:3: TCL error: insert_cert_to_header_2 - while executing "X509::subject $cert"
local/tmm7 err tmm7[26198]: 01220001:3: TCL error: insert_cert_to_header_2 - while executing "X509::subject $cert"
It's my irule right?
thanks.
5 Replies
hoolioCirrostratus
Hi Bruce,
There was an improvement in 10.1.0 for client cert handling:
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_10_1_0_ltm.html
Behavior changes in version 10.1.0
SSL::cert iRule commands (CR116806)
The following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:
SSL::cert GET_PEER_CERT
SSL::cert issuer GET_PEERCERTISSUER
SSL::cert count GET_PEER_CERTCOUNT
It looks like this functionality will eliminate the need to store the client cert (or cert details) in the session table.
Aaron- Sinan_WANGHi Aaron,
For this CR I rewrite the iRule like this,and it's worked. Thanks for your reply.
when HTTP_REQUEST {
set cert [SSL::cert 0]
HTTP::header insert SSLCLIENTCERTSUBJECT [X509::subject $cert],[X509::issuer $cert],[X509::version $cert],[X509::serial_number $cert],[X509::not_valid_before $cert],[X509::not_valid_after $cert]
HTTP::header insert issuer [X509::issuer $cert]
HTTP::header insert versionnum [X509::version $cert]
HTTP::header insert serial [X509::serial_number $cert]
HTTP::header insert not_valid_before [X509::not_valid_before $cert]
HTTP::header insert not_valid_after [X509::not_valid_after $cert]
} - hoolioGlad that you got this working. I'll update the Codeshare entry with your example if that's okay.
Aaron - Evan_Thompson
Cirrus
Hi Aaron.
I am interestead in this case.
Let me confirm my understanding of this case.
That is to say. We can use cert information to insert HTTP header without using CLIENTSSL_CLIENTCER event and session command.
Is my understanding correct?
As a matter of fact we attempt to use cert information to incert HTTP header. - hoolioHi Tendon,
Yes that's correct for 10.1 and higher as TMM automatically stores the SSL::cert value in the session cache.
Aaron
