Forum Discussion

mwi's avatar
mwi
Icon for Cirrus rankCirrus
May 14, 2021

iRule dont work with TLSv1.3

Hi,

can anyone tell my why this iRule dont work with TLS1.3?

when CLIENTSSL_CLIENTCERT {
 
    if { [SSL::cert 0] eq "" } { 
    }
    else {
        
        if {not([X509::not_valid_before [SSL::cert 0]] contains  "2021")} {        
                log local0. "oldCert: [X509::subject [SSL::cert 0]] -> [X509::issuer [SSL::cert 0]]"           
        }
        else {            
                log local0. "oldCert: newCert [X509::subject [SSL::cert 0]] -> [X509::issuer [SSL::cert 0]]"
        }

Cheers

  • Have you seen this:

     

    https://cdn.f5.com/product/bugtracker/ID753925.html (always use the F5 bug tracker to check for know bugs)?

     

     

    To be certain that it is a bug add simple log local0. after " CLIENTSSL_CLIENTCERT { " and before " if { [SSL::cert 0] eq "" } { " also add loh local0. right after " if { [SSL::cert 0] eq "" } { ". Maybe also add log local0. right after "     else { " and before " if {not([X509::not_valid_before [SSL::cert 0]] contains  "2021")} {   "

     

     

     

     

    This way you will se to where the irule is triggered before it stops working.

  • What error do you receive? FYI - it might be typo on your end, it's missing last 2 curly brackets.

  • no error, just no logging. If I enable "no TLS1.3" in the SSL-Profile it works.

    The brackets are my fault, i didnt copy the whole irule

  • Have you seen this:

     

    https://cdn.f5.com/product/bugtracker/ID753925.html (always use the F5 bug tracker to check for know bugs)?

     

     

    To be certain that it is a bug add simple log local0. after " CLIENTSSL_CLIENTCERT { " and before " if { [SSL::cert 0] eq "" } { " also add loh local0. right after " if { [SSL::cert 0] eq "" } { ". Maybe also add log local0. right after "     else { " and before " if {not([X509::not_valid_before [SSL::cert 0]] contains  "2021")} {   "

     

     

     

     

    This way you will se to where the irule is triggered before it stops working.