For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Blair_Murray_10's avatar
Blair_Murray_10
Icon for Nimbostratus rankNimbostratus
Feb 24, 2014

iRule not working with 11.4

We have an iRule that was working fine on our LTM with 11.1. We are in the process of upgrading our System to 11.4 , when I make the LTM running this newer code the active member this iRule will not ...
application delivery
devops
iRules
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 24, 2014

Move you HTTP::release command to the CLIENTSSL_CLIENTCERT event.

when CLIENTSSL_CLIENTCERT { 
    if { [SSL::cert count] > 0 } {
        set ClientCertificatePresent 1 
        set IVUSER [substr [X509::subject [SSL::cert 0]] 3 ","]
        HTTP::release
    } 
}
when HTTP_REQUEST { 
    set CookiePresent 0 
    set ClientCertificatePresent 0

    if { [HTTP::cookie exists "IV-USER"] } { 
        set CookiePresent 1 
    }

    if { not [matchclass [IP::remote_addr] equals CompanyX_ACME_NonClientCertificate ] } {
        if { [matchclass [HTTP::uri] starts_with CompanyX.ACME.SSO] } {
            HTTP::collect
            SSL::authenticate once
            SSL::authenticate depth 9
            SSL::cert mode request
            SSL::renegotiate
        }
    }
}
when HTTP_REQUEST_SEND {
    clientside { 
        if { $CookiePresent eq 0 and $ClientCertificatePresent eq 1 } {
            HTTP::cookie insert name "IV-USER" value $IVUSER 
        } 
    } 
}
when HTTP_RESPONSE {
    if { $CookiePresent eq 0 and $ClientCertificatePresent eq 1 } { 
        HTTP::header insert Set-Cookie "IV-USER=$IVUSER; Path=/" 
    } 
}