Forum Discussion

Cisco2F5_16233's avatar
Icon for Nimbostratus rankNimbostratus
Dec 14, 2011

iRule help

My name is Will i just finished both my F5 classes Essentials - V10v and Advanced Topics - V10 Now i am being thrown into the fire as they say and i need some help with this irule.





What this irule should do is


"sets a varable called cert to the cert that comes in.....


uses that to set session persistance for 180 seconds.


sets another varable called clientip from the connected ip...


then some logging, if the varable cert isn't empty, add a log that says cert sent.


else, ie if it is empty set a log that say no cert."




This is what is was in v9 and worked perfectly





set cert [SSL::cert 0]


session add ssl [SSL::sessionid] $cert 180


set clientip [IP::remote_addr]


if { $cert ne ""} {


log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"


} else {


log local0. "iRULE:ClientIP:$clientip | Status: No Cert"














set client_cert [session lookup ssl [SSL::sessionid]]


set hash [X509::hash $client_cert]


if { [info exists hash] } {


HTTP::header replace NETWORK_ALIAS $hash


log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"











Now this irule no longer works in v10




Thank you in advance for your help!






3 Replies

  • Hi Cisco2F5,



    The SSL::sessionid behavior has changed in v10.x.x which might be causing some strange behavior.



    See the Wiki Entry for it here: SSL::sessionid




    Returns the current connection's SSL session ID if it exists in the session cache.


    In version 10.x, if the session ID does not exist in the cache, returns a null string.


    In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987 )




    Hope this helps.
  • I agree with Michael on this. One issue with that iRule is that SSL::sessionid will return a null string instead of 64 zeroes if the client's session ID doesn't exist in TMM's cache.



    That said, you should also add a check to see that the cert count is > 0 before adding anything to the session table. And you should check in HTTP_REQUEST to see that the session ID is not null before attempting a session lookup.



    You could modify this Codeshare example to fit your scenario: