Forum Discussion
ScottG_82592
Feb 23, 2011Nimbostratus
Problem with findstr
Hello,
I am trying to extract some data from Client SSL Certificate. But I am having a problem when it is trying to pass the data. It is first part of the script it appears that it is passing the correct data but then it shows another field. Essentially what happens is this. The first part of the iRule executes without error. I can see the client offered certificate and extract out the necessary information. The issue comes when I attempt to pass that information from “when CLIENTSSL_CLIENTCERT” mode to “when HTTP_REQUEST” mode. It places the value of “CYC” (first field) into the memory, but when retrieves it, it’s always “KIT” (second field). I have no idea how the second value is the one passed.
RULE:
when CLIENTSSL_CLIENTCERT {
set client_cert [SSL::cert 0]
set subject [findstr [X509::subject $cert] "OU=" 3 ","]
session add ssl [SSL::sessionid] $subject 2
log local0. "Output1: $subject"
}
when HTTP_REQUEST {
set cert_x [session lookup ssl [SSL::sessionid]]
log local0. "Output2: $cert_x"
if {not[$cert_x contains "CYC"]}{
log local0. "Invalid Cert: [IP::client_addr] & $cert_x]"
HTTP::respond Bad Content { Invalid Certificate Error
Invalid Certificate Error
You used an invalid Certificate.
Please validate your certificate.
}
}
}
LOGGED OUTPUT:
Feb 8 19:56:34 tmm tmm[1743]: Cert_Extract_rule_rule : Output1: CYC
Feb 8 19:56:34 tmm tmm[1743]: Cert_Extract_rule_rule : Output2: KIT
Feb 8 19:56:34 tmm tmm[1743]: 01220001:3: TCL error: massl_550_productioncert_rule - invalid command name "KIT" while executing "$cert_x contains "CYC""
CAPTURE OF CLIENT OFFERED SSL CERT SUBJECT:
Feb 8 19:30:33 tmm tmm[1743]: Cert_Extract_rule_rule : Output2: 1.2.3.4 & CN=crash.scottsracing.com,OU=CYC,OU=KIT,OU=TESTY,O=Scotts Racing]
3 Replies
Sort By
- Can you log the value for [SSL::sessionid] in both events? I wonder if one or both is either 64 zeroes or null. You should add a check for this condition before adding the session table entry. See the wiki page for details:
- But why would it return the second value in the string? Since there are three of the OU= values I am wondering if it is just getting confused during the running and pulling the second value instead of the first value.
- I'm guessing that another user's session might have overwritten the session table entry if they both have an SSL session ID of null or 64 zeroes. If you log the SSL session ID's can you check for this potential issue?
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects