Forum Discussion
Leszek_Majewsk1
Nimbostratus
Nimbostratushow to pass variables
why I cannot read stored variables from the previous context ?
example:
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set status [X509::verify_cert_error_string [SSL::verify_result]]
set subject [X509::subject $cert]
set serial [X509::serial_number $cert]
set issuer [X509::issuer $cert]
set values [list $cert $status $subject $serial]
set locality "Warszawa"
set count [SSL::cert count]
session add ssl [SSL::sessionid] $values 3600
log "Client handshake status: $status, serial number: $serial"
log "subject: $subject"
log "issuer: $issuer"
log "count: $count"
HTTP::release
}
In this section I store subject and issuer variables (I can see them in the log file)
the next context in my script is:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/pattern/" } {
set cert [SSL::cert 1]
set status [X509::verify_cert_error_string [SSL::verify_result]]
log "status jest: $status"
set subject [X509::subject $cert]
set serial [X509::serial_number $cert]
set issuer [X509::issuer $cert]
set values [list $cert $status $subject $serial]
set locality "Warszawa"
set count [SSL::cert count]
session add ssl [SSL::sessionid] $values 3600
log "Client handshake status: $status, serial number: $serial"
log "subject: $subject"
log "issuer: $issuer"
log "count: $count" ..... (!)
I have an error related to the line set subject [X509::subject $cert] and I cannot read previously stored variables such as subject. I thought that the script is running line by line.. what is wrong? hot to use the variables stored in the previous context ???
hoolioCirrostratus
Are you getting the TCL error from the CLIENTSSL_CLIENTCERT event, where you set the subject variable, or the HTTP_REQUEST event? I would guess the latter event. You're setting the cert variable to the second cert in the request. Are there two certs? What do you see for the log statement with [SSL::cert count]?
Can you post the full logs from the rule for a single connection/request when you get an error?
Thanks,
Aaron
Leszek_Majewsk1Hi,
I tried also with cert 0:
when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/pattern/" } {
set cert [SSL::cert 0]
set status [X509::verify_cert_error_string [SSL::verify_result]]
log "status jest: $status"
set subject [X509::subject $cert]
set serial [X509::serial_number $cert]
set issuer [X509::issuer $cert]
set values [list $cert $status $subject $serial]
set locality "Warszawa"
set count [SSL::cert count]
session add ssl [SSL::sessionid] $values 3600
log "Client handshake status: $status, serial number: $serial"
log "subject: $subject"
log "issuer: $issuer"
log "count: $count" ..... (!)
the log is:
Fri Nov 16 16:43:29 CET 2007 tmm tmm[983] 01220002 Rule Polcard_1.3 CLIENTSSL_CLIENTCERT: count: 2
Fri Nov 16 16:43:30 CET 2007 tmm tmm[983] 01220002 Rule Polcard_1.3 HTTP_REQUEST: status jest: ok
Fri Nov 16 16:43:30 CET 2007 tmm tmm[983] 01220001 TCL error: Rule Polcard_1.3 HTTP_REQUEST - while executing X509::subject $cert=
regards,- hoolioThe error seems odd... the setting of the variable looks fine. Checking SOL5171 (Click here) and this post (Click here), and this codeshare example (Click here), I don't see a problem. What version are you running?
Anyone else have ideas?
Aaron 
Stanley_LeszczyI contacted support about this exact issue and they said SOL5171 is wrong and needs to be updated. They are currently researching. If interested I wrote an iRule that seems to be working (at least for our applications):
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
session add ssl [SSL::sessionid] $cert 600
}
when HTTP_REQUEST {
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert eq ""} {
SSL::renegotiate
} else {
HTTP::header insert X-Subject [X509::subject $client_cert]
}
}- hoolioHi leszcs,
I've heard a few people say that the local variables they set in CLIENTSSL_CLIENTCERT aren't available in subsequent events. Did F5 support address this? I'm curious to see what they say.
Thanks,
Aaron - Stanley_LeszczyCase is still open - will update this thread once I hear something.