For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cisco2F5_16233's avatar
Cisco2F5_16233
Icon for Nimbostratus rankNimbostratus
Dec 14, 2011

iRule help

My name is Will i just finished both my F5 classes Essentials - V10v and Advanced Topics - V10 Now i am being thrown into the fire as they say and i need some help with this irule.

 

 

 

 

What this irule should do is

 

"sets a varable called cert to the cert that comes in.....

 

uses that to set session persistance for 180 seconds.

 

sets another varable called clientip from the connected ip...

 

then some logging, if the varable cert isn't empty, add a log that says cert sent.

 

else, ie if it is empty set a log that say no cert."

 

 

 

This is what is was in v9 and worked perfectly

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

session add ssl [SSL::sessionid] $cert 180

 

set clientip [IP::remote_addr]

 

if { $cert ne ""} {

 

log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"

 

} else {

 

log local0. "iRULE:ClientIP:$clientip | Status: No Cert"

 

reject

 

return

 

}

 

}

 

}

 

when HTTP_REQUEST {

 

set client_cert [session lookup ssl [SSL::sessionid]]

 

set hash [X509::hash $client_cert]

 

if { [info exists hash] } {

 

HTTP::header replace NETWORK_ALIAS $hash

 

log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"

 

}

 

}

 

}

 

 

 

 

Now this irule no longer works in v10

 

 

 

Thank you in advance for your help!

 

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Dec 14, 2011
    Hi Cisco2F5,

     

     

    The SSL::sessionid behavior has changed in v10.x.x which might be causing some strange behavior.

     

     

    See the Wiki Entry for it here: SSL::sessionid

     

     

     

    Returns the current connection's SSL session ID if it exists in the session cache.

     

    In version 10.x, if the session ID does not exist in the cache, returns a null string.

     

    In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987 )

     

     

     

    Hope this helps.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2011
    I agree with Michael on this. One issue with that iRule is that SSL::sessionid will return a null string instead of 64 zeroes if the client's session ID doesn't exist in TMM's cache.

     

     

    That said, you should also add a check to see that the cert count is > 0 before adding anything to the session table. And you should check in HTTP_REQUEST to see that the session ID is not null before attempting a session lookup.

     

     

    You could modify this Codeshare example to fit your scenario:

     

     

    http://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx

     

     

    AAaron