Forum Discussion

ScottG_82592's avatar
Icon for Nimbostratus rankNimbostratus
Feb 23, 2011

Problem with findstr

Hello, I am trying to extract some data from Client SSL Certificate. But I am having a problem when it is trying to pass the data. It is first part of the script it appears that it is passing the correct data but then it shows another field. Essentially what happens is this. The first part of the iRule executes without error. I can see the client offered certificate and extract out the necessary information. The issue comes when I attempt to pass that information from “when CLIENTSSL_CLIENTCERT” mode to “when HTTP_REQUEST” mode. It places the value of “CYC” (first field) into the memory, but when retrieves it, it’s always “KIT” (second field). I have no idea how the second value is the one passed.










set client_cert [SSL::cert 0]


set subject [findstr [X509::subject $cert] "OU=" 3 ","]


session add ssl [SSL::sessionid] $subject 2


log local0. "Output1: $subject"






set cert_x [session lookup ssl [SSL::sessionid]]


log local0. "Output2: $cert_x"


if {not[$cert_x contains "CYC"]}{


log local0. "Invalid Cert: [IP::client_addr] & $cert_x]"


HTTP::respond Bad Content { Invalid Certificate Error


Invalid Certificate Error


You used an invalid Certificate.



Please validate your certificate.












Feb 8 19:56:34 tmm tmm[1743]: Cert_Extract_rule_rule : Output1: CYC


Feb 8 19:56:34 tmm tmm[1743]: Cert_Extract_rule_rule : Output2: KIT


Feb 8 19:56:34 tmm tmm[1743]: 01220001:3: TCL error: massl_550_productioncert_rule - invalid command name "KIT" while executing "$cert_x contains "CYC""





Feb 8 19:30:33 tmm tmm[1743]: Cert_Extract_rule_rule : Output2: &,OU=CYC,OU=KIT,OU=TESTY,O=Scotts Racing]

3 Replies

  • Can you log the value for [SSL::sessionid] in both events? I wonder if one or both is either 64 zeroes or null. You should add a check for this condition before adding the session table entry. See the wiki page for details:






    In version 10.x, if the session ID does not exist in the cache, returns a null string.



    In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987 )




  • But why would it return the second value in the string? Since there are three of the OU= values I am wondering if it is just getting confused during the running and pulling the second value instead of the first value.
  • I'm guessing that another user's session might have overwritten the session table entry if they both have an SSL session ID of null or 64 zeroes. If you log the SSL session ID's can you check for this potential issue?



    Also, you can change this line from:



    if {not[$cert_x contains "CYC"]}{






    if { not ($cert_x contains "CYC") }{



    in order to avoid the runtime error.