Forum Discussion

Ed_Martens's avatar
Dec 10, 2019

irule clientssl_clientcert log

Hi,

I creating an irule to do clientssl handling.

Everything works fine, but as always in some cases it doesn't work.

That is the reason why we all add debug options in scripts.

But for some reason when doing log option under CLIENTSSL_CLIENTCERT it only log the first log rule.

Even if there are no conditions to log (by just make two log rows) it only displays the first.

When commenting out the first row it logs the second??????

 

The LTM version we are running 14.1.2.2 but had the same issue in 13.1.1.2

Am I doing something wrong?

 

Example:

These are the two lines:

 log "Client Certificate received: $subject_dn, [IP::client_addr]"

 log "BLAAT"

 

Many thanks in advance

 

when CLIENTSSL_CLIENTCERT {

SSL::collect

   if {[SSL::cert count] > 0}

   {

      set subject_dn [X509::subject [SSL::cert 0]]

      set cert_date [X509::not_valid_after [SSL::cert 0]]

 

      if {($cert_date < $static::today)}

         {

             log "ERROR: Certificate $subject_dn EXPIRED, END-Date $cert_date" }

      if { $subject_dn != "" }

      {

      log "Client Certificate received: $subject_dn, [IP::client_addr]"

      log "BLAAT"

           # if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" }

           #set C [string range [lindex [X509::subject [SSL::cert 0]] 0] 2 end-1]

           set cn [string range [findstr [X509::subject [SSL::cert 0]] "CN=" ] 3 end]

           set cn [string map {"*" "ster"} $cn]

           set cn [string map {" " "_"} $cn]

           set dg "t-DG_$cn"

           set dg_ip "t-DGIP_$cn"

 

       if {[class match [IP::client_addr] equals $dg_ip] }

      {

      if { $static::otudebug } { log "DataGroup IP Match, [IP::client_addr]" }

      }

      else {

      log "ERROR: [IP::client_addr] NO IP MATCH in $dg_ip"

      reject

         }

 

      if {[class match $uri starts_with $dg] }

      {

      if { $static::otudebug } { log "DataGroup URI Match, [IP::client_addr]" }

      }

      else {

      log "ERROR: [IP::client_addr] NO URI MATCH in $dg for $cn"

      reject

         }

      }

 

 

   }

   else {

      log "Client Certificate NOT FOUND, [IP::client_addr]"

      reject

      }

 if { $static::otudebug } { log "Client Certificate received: $subject_dn, [IP::client_addr]" }

 }

  • Per iRules 101 #9 Debugging:

    "While the facility and level parameters are optional, it is good to know that there is a significant behavioral difference when the optional <facility>.<level> is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the <facility> and/or <level> are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates)."

    Try adding facility and level to all your log commands to see if that makes a difference. For example:

    log local0.warning "Client Certificate received: $subject_dn, [IP::client_addr]"
    log local0.warning "BLAAT"

    You can also use just the facility - local0. - part without a log level and leave it to its default, which is Info.

    • Ed_Martens's avatar
      Ed_Martens
      Icon for Cirrus rankCirrus

      Thanks for the response and YES it was the answer...!!

      Sometimes life is easy.

      Many thanks