F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

johnko05_45751's avatar
johnko05_45751
Icon for Nimbostratus rankNimbostratus
Sep 07, 2010

iRule v9 to v10 conversion

Hello, I used the iRule below just fine on version 9.4.8. We recently upgraded to 10.2. Now I get the following error in /var/log/ltm whenever this iRule is invoked:

 

 

Sep 7 23:17:41 local/tmm1 err tmm1[18638]: 01220001:3: TCL error: SSL_Header_Values_Insert - wrong args: should be "session add ssl " while executing "session add ssl [SSL::sessionid] $cert 600" clientside expression (line 3) invoked from within "clientside { set cert "SSL::cert" session add ssl [SSL::sessionid] $cert 600 set cname "SSL::cipher name" set cbits "SSL::cipher b..."

 

 

I tried playing around with the "session add ssl" line like so:

 

 

set sid "SSL::sessionid"

 

session add ssl $sid $cert 600

 

 

That allowed the processing to continue, however it also caused the BIGIP to panic and reboot! Below is the iRule from 9.4.8. Is there a syntax change I need to make for this to work in v10.2?

 

 

when CLIENTSSL_HANDSHAKE {

 

if { [SSL::cert count] > 0 } {

 

HTTP::release

 

}

 

}

 

when CLIENTSSL_CLIENTCERT {

 

clientside {

 

set cert "SSL::cert"

 

session add ssl [SSL::sessionid] $cert 600

 

set cname "SSL::cipher name"

 

set cbits "SSL::cipher bits"

 

set cver "SSL::cipher version"

 

set cn [X509::subject [eval $cert 0]]

 

set cSSLSubject [findstr $cn "CN=" 3 ","]

 

set cSSLClientCert [b64encode [eval $cert 0]]

 

}

 

}

 

when HTTP_REQUEST {

 

clientside {

 

set client_cert [session lookup ssl [SSL::sessionid]]

 

if { $client_cert eq ""} {

 

HTTP::collect

 

SSL::renegotiate

 

log local4.info "SSL session Timed out: renegotiating"

 

log local4.info "The page being accessed was [HTTP::uri]"

 

} else {

 

HTTP::header remove SSLSubject

 

HTTP::header remove SSLClientCert

 

HTTP::header remove SSLCipher

 

HTTP::header remove WebProtocol

 

HTTP::header remove ClientIP

 

HTTP::header replace ClientIP [IP::remote_addr]

 

if { [PROFILE::exists clientssl] == 1} {

 

HTTP::header replace SSLCipher [eval $cname]:[eval $cbits]-[eval $cver]

 

if { [eval $cert count] > 0} {

 

HTTP::header replace SSLSubject $cSSLSubject

 

HTTP::header replace SSLClientCert $cSSLClientCert

 

HTTP::header replace WebProtocol "HTTPS-auth"

 

} else {

 

HTTP::header replace WebProtocol "HTTPS"

 

}

 

} else {

 

log "session discarded"

 

discard

 

}

 

}

 

}

 

}

 

application delivery
dev
devops
iRules

5 Replies

  • johnko05_45751's avatar
    johnko05_45751
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2010
    I was able to fix the iRule. I changed this:

     

     

    when CLIENTSSL_CLIENTCERT {

     

    clientside {

     

    set cert "SSL::cert"

     

    session add ssl [SSL::sessionid] $cert 600

     

    set cname "SSL::cipher name"

     

    set cbits "SSL::cipher bits"

     

    set cver "SSL::cipher version"

     

    set cn [X509::subject [eval $cert 0]]

     

    set cSSLSubject [findstr $cn "CN=" 3 ","]

     

    set cSSLClientCert [b64encode [eval $cert 0]]

     

    }

     

    }

     

     

    TO THIS:

     

     

    when CLIENTSSL_CLIENTCERT {

     

    clientside {

     

    set cert "SSL::cert"

     

    set cname "SSL::cipher name"

     

    set cbits "SSL::cipher bits"

     

    set cver "SSL::cipher version"

     

    set cn [X509::subject [eval $cert 0]]

     

    set cSSLSubject [findstr $cn "CN=" 3 ","]

     

    set cSSLClientCert [b64encode [eval $cert 0]]

     

    set key [concat [SSL::sessionid] [SSL::cert 0]]

     

    session add ssl $key 600

     

    }

     

    }
  • Anthony_7417's avatar
    Anthony_7417
    Historic F5 Account
    Sep 24, 2010
    What I think the problem was is that, at run-time, SSL::sessionid returned null. If SSL::sessionid returns null, when the "session add" command runs, the argument is missing.

     

     

    It's possible for SSL::sessionid to return null - but only in v10. In v9, instead of returning null, it would return a string of 64 zeros. See:

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__sessionid.html -- so this explains why you only ran into the problem after upgrading.

     

     

    The reason it began working after your change is because you concatenated it with the client certificate -- so now it will never be null.

     

     

    The better approach might be to test that SSL::sessionid returned a real value before attempting to use it in the session command.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 24, 2010
    Hi Anthony,

     

     

    Thanks for pointing this out. I wasn't aware of the change in LTM behavior. This would potentially break the v10 iRules I've written for client cert validation, so I'm glad to find out about the change.

     

     

    Aaron
  • Anthony_7417's avatar
    Anthony_7417
    Historic F5 Account
    Sep 27, 2010
    No problems, hoolio!

     

     

    Side note:

     

    I noticed in your (johnko05's) rule that you would set a command-string as a variable, and then later execute it with eval:

     

     

    set cert "SSL::cert"

     

    ...

     

    set cn [X509::subject [eval $cert 0]]

     

     

     

    It wasn't immediately obvious to me what problem you were trying to solve by writing the rule this way, but I'm sure it is quite deliberate. Would you mind enlightening me?