Forum Discussion

gestorm_105037's avatar
Icon for Nimbostratus rankNimbostratus
Jan 04, 2012

iRule SSL handshake doesn't run in 10.2.0

I have many problems with my irule.



I have a BIG-IP in version 9.4.8 and the irule must connect to virtual server in https, there are profile ssl client wich generate a first certificat will keep in cache. On Internet Explorer we must choose 2 times the certificate.


I performed an upgrade of my Big-IP in version 10.2.0 but the problem is the same. We tested the irule in version 10.2.0 and the irule doesn't run with SSL handshake, there are failure and TCL error.



below the irule used:








set cur [SSL::sessionid]


set ask [session lookup ssl $cur]


if { $ask eq "" } {


session add ssl [SSL::sessionid] [SSL::cert 0]








set id [SSL::sessionid]


set the_cert [session lookup ssl $id]


if { $the_cert != ""}


{ HTTP::header insert SSL_CLIENT_CERT [X509::whole $the_cert]




log "Request GET [HTTP::uri]\n"


log "Connection : [IP::remote_addr] -> [IP::local_addr] with method : [HTTP::method] and URI : [HTTP::uri] / X-Forwarded-For : [HTTP::header X-Forwarded-For] / SSL Certificate : [HTTP::header SSL_CLIENT_CERT]"







if {[HTTP::is_redirect]}{


Rewrite the Location header from http to https


HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]


log "F5 Redirect to [HTTP::header Location]"




log "APACHE Response : [HTTP::status], Location : [HTTP::header Location]\n"







If you already had this kind of problem please can you help me.



Thanks for your help,




2 Replies

  • can you try SOL11987?





    Returns the current connection's SSL session ID if it exists in the session cache.


    In version 10.x, if the session ID does not exist in the cache, returns a null string.


    In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987)



    SSL::sessionid wiki

  • You're attempting to add the client's certificate to the session table every time an SSL handshake is completed and the client's session ID isn't already in the SSL session cache. This will fail with a runtime TCL error if the client tries to resume an existing session, after the TMM session expires, but doesn't include the client cert.



    If you want to insert the details for a cert in the HTTP headers, you can use an iRule like this instead:




    This iRule accounts for the change in behavior that Nitass described for SSL::sessionid.