For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

What_Lies_Benea's avatar
What_Lies_Benea
Icon for Altostratus rankAltostratus
Nov 14, 2013

HTTP::respond Command in the CLIENTSSL_HANDSHAKE Event

Hi all,

I'm trying to use this 

HTTP::respond 302 Location "http://google.co.uk/"
under the CLIENTSSL_HANDSHAKE event but keep getting this error;

 - Illegal argument. Can't execute in the current context. (line 11) invoked from within "HTTP::respond 302 Location "http://google.co.uk/""

I'm running VE, v11.3.0 Build 3138.0. No other rules are applied to the Virtual Server. I'm not using any other ::respond or ::redirect commands anywhere within what is probably a 150 line or so irule also using the AUTH_RESULT and CLIENT_ACCEPTED events.

The wiki doesn't list CLIENTSSL_HANDSHAKE as a valid event for the HTTP::respond command but this article suggests it's allowed from v10.1: https://devcentral.f5.com/wiki/iRules.Client-Cert-Request-by-URI-with-OCSP-Checking-v10-1.ashx.

Any help gratefully appreciated. Thanks.

application delivery
deployment
devops
iRules
security

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 14, 2013

    Just a stretch here, but if it is or was allowed, it probably shouldn't be. The CLIENTSSL_HANDSHAKE command should be triggering at the completion of the SSL handshake (layers 5/6) and before the HTTP HUD filter kicks in (layer 7). I would probably assign a local variable and pick that up in the HTTP_REQUEST event.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 14, 2013

    Hey Kevin,

     

    Understood and that's what I'm doing on an OCSP check but if it's just a case of no client certificate being presented I seem to be out of options. I've tried TCP:: respond without success. I assume SSL::respond will be equally pointless?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 15, 2013

    You'll necessarily want to do this in your auth rule, so here's a minor modification that should work for you:

    when CLIENT_ACCEPTED {
    set tmm_auth_ssl_ocsp_sid 0
    set tmm_auth_ssl_ocsp_done 0
}
when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] > 0 } {
        set tmm_auth_ssl_ocsp_done 0
        if {$tmm_auth_ssl_ocsp_sid == 0} {
            set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
            if {[info exists tmm_auth_subscription]} {
                AUTH::subscribe $tmm_auth_ssl_ocsp_sid
            }
        }
        AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
        AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
        AUTH::authenticate $tmm_auth_ssl_ocsp_sid
        SSL::handshake hold
    } else {
         no cert
        set NOCERT 1
        SSL::session invalidate
    }
}
when CLIENTSSL_HANDSHAKE {
    set tmm_auth_ssl_ocsp_done 1
}
when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
            reject
        }
    }
}
when HTTP_REQUEST {
    if { [info exists NOCERT] } {
        HTTP::redirect "http://www.yahoo.com"
    }
}