Forum Discussion
Nimbostratusissue with client ssl profile irule
Dear Experts,
I am trying to create irule for req where user wants for specified IP address to be presented with defined cert and others with default cert. But while adding irule I am getting below error. I am not adding client ssl profile in VS. Please suggest:
irule:
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals "1.1.1.1"]} {
log local0. "IP address:[IP::client_addr]"
SSL::profile Test1_SSL
} else {
log local0. "IP address:[IP::client_addr]"
SSL::profile clientssl
}
}
error
Internal info tmm[13056]: Rule /Common/test_ssl_irule : IP address:10.240.24.45
Internal err tmm[13056]: 01220001:3: TCL error: /Common/test_ssl_irule - Operation not supported (line 6) (line 6) invoked from within "SSL::profile clientssl"
Internal info tmm[13056]: Rule /Common/test_ssl_irule : IP address:1.1.1.1
Internal err tmm[13056]: 01220001:3: TCL error: /Common/test_ssl_irule - Operation not supported (line 3) (line 3) invoked from within "SSL::profile Test1_SSL"
Thanks.
4 Replies
IanBEmployee
Which version are you seeing this behaviour on ? I just tested it on 12.0.0, and it worked without error. What's in your Test1_SSL clientssl profile ?
Amit585731Hi Ian, I am using 11.6 code. Test1_SSL contains self signed cert. When I am not using irule and attaching either profile to VS it works. Thanks.
arpydaysThe issue may be that you don't have a clientside ssl profile enabled on the VS to start with, therefore clientside ssl processing not enabled. Can you assign the clientssl profile to the VS and try that.
- IanB
Using an 'answer' so that I can apply formatting to this.
I've tried to reproduce this on 11.6.0, but it works without issue for me. Please take a look at my config, and see if you can spot what we're doing differently:
ltm rule http_responder { when HTTP_REQUEST { HTTP::respond 200 content "[IP::client_addr]:[TCP::client_port] This is the best website ever\n\n" } } ltm rule ssl { when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals "1.1.1.1"]} { log local0. "IP address:[IP::client_addr] Set SSL profile to Test1_SSL" SSL::profile Test1_SSL } else { log local0. "IP address:[IP::client_addr] Set SSL profile to clientssl" SSL::profile clientssl } } } create net vlan test interfaces add {1.1{tagged}} tag 111 create net self test_self vlan test address 1.1.1.254/24 create sys crypto key self-signed-key create sys crypto cert self-signed-cert key self-signed-key.key common-name fluffybunnies create ltm profile client-ssl Test1_SSL cert-key-chain replace-all-with { default { cert self-signed-cert.crt key self-signed-key.key } } create ltm virtual test_ssl destination 1.1.1.100:443 profiles replace { clientssl http tcp } rules { http_responder ssl }And then test it:
[root@ltm-1160-151:Active:Standalone] config curl -k https://1.1.1.100 1.1.1.254:58586 This is the best website ever /var/log/ltm: Apr 5 19:58:24 ltm-1160-151 info tmm[11728]: Rule /Common/ssl : IP address:1.1.1.254 Set SSL profile to clientsslI then changed the 1.1.1.1 in the ssl rule to 1.1.1.254 so that it matches the curl request, and sets the other SSL profile:
[root@ltm-1160-151:Active:Standalone] config curl -k https://1.1.1.100 1.1.1.254:58661 This is the best website ever /var/log/ltm: Apr 5 20:01:05 ltm-1160-151 info tmm[11728]: Rule /Common/ssl : IP address:1.1.1.254 Set SSL profile to Test1_SSLGranted, I'm just using a iRule to respond to the HTTP request, but that should be sufficient to test the clientssl profile without needing an actual pool member.
Let me know if you can spot how we're differing here.
