F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

TIm_Maestas's avatar
TIm_Maestas
Icon for Nimbostratus rankNimbostratus
Apr 05, 2005

SSL cert verify TCL error?

I have the following iRule:     when CLIENTSSL_HANDSHAKE {   set cert [SSL::cert 0 ]   }   when HTTP_REQUEST {   set stuff [X509::subject $cert ]   if { [matchclas...
application delivery
dev
devops
iRules
TIm_Maestas's avatar
TIm_Maestas
Icon for Nimbostratus rankNimbostratus
Apr 05, 2005
That didn't seem to work. My rule now looks like

 

 

when CLIENTSSL_HANDSHAKE {

 

set cert [SSL::cert 0 ]

 

}

 

when HTTP_REQUEST {

 

 

if { [ info exists cert ] } {

 

log local0. "cert variable is $cert"

 

set stuff [X509::subject $cert ]

 

if { [matchclass $stuff contains $::merlin] } {

 

use pool test-sun }

 

else {

 

log local0. "Invalid Cert from [IP::client_addr]"

 

reject

 

}

 

 

} else {

 

log local0. "No Cert Presented from [IP::client_addr]"

 

reject

 

}

 

}

 

 

But I'm still getting the error when a client comes in via IP address (or any other way that requires them to click yes to the SSL warning pop-up dialogue). The log message seems to indicate that indeed the $cert variable is not being populated, but if that is the case why is that block of the rule getting executed at all?

 

 

 

Apr 5 21:19:25 tmm tmm[5569]: Rule test : cert variable is

 

Apr 5 21:19:25 tmm tmm[5569]: 01220001:3: TCL error: Rule test - while executing "X509::subject $cert "

 

 

Thanks.