Forum Discussion
Hille_de_Graaf_
Nimbostratus
NimbostratusSSL ClientCert check
We are trying to build an iRule to check if an SSL client cert is valid, and I used the iRule from Wikis (list below), but when I try to connect the /var/log/ltm gives me the following error:
Sep 15 13:44:46 tmm tmm[723]: 01220001:3: TCL error: Rule pok - Prerequisite operation not in progress (line 1) invoked from within "session add ssl [SSL::sessionid] $ssl_stuff 180"
Sep 15 13:44:46 tmm tmm[723]: 01220001:3: TCL error: Rule pok - Prerequisite operation not in progress (line 6) invoked from within "session lookup ssl [SSL::sessionid]"
What is wrong about this iRule?
I'am running version 9.1.2 on a 3400LTM
Below the iRule from Wikis
when CLIENTSSL_CLIENTCERT {
set ssl_stuff [list anything1 anything2]
set ssl_cert [SSL::cert 0]
set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]
lset ssl_stuff 0 $ssl_cert
lset ssl_stuff 1 $ssl_errstr
session add ssl [SSL::sessionid] $ssl_stuff 180
}
when HTTP_REQUEST {
set ssl_stuff2 [session lookup ssl [SSL::sessionid]]
set ssl_cert2 [lindex $ssl_stuff2 0]
set ssl_errstr2 [lindex $ssl_stuff2 1]
if { $ssl_errstr2 eq "ok" } {
HTTP::header insert SSLClientCertStatus $ssl_errstr2
HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]
} else {
HTTP::redirect http://192.168.0.64/error.html
}
}
Nuno__Paulino_6Hi!
I am in the same situation.
Does anyone have a solution ?
Thanks
hoolioCirrostratus
Hi Nuno,
I tried searching devcentral and internally, but haven't found anything clear on this error.
Do you see it happen on every request? Can you add logging to the rule to see what the variables are set to when it errs?
Do you have other rules attached to the same VIP?
Aaron
Randy_AbramsI get the same error (9.3.1 HF2). Very frustrating. The documentation indicates that an AUTH_SUCCESS event does not allow a "session" command. Seems like an iRule that is presented as a contest winner should just work.- I see that the documentation indeed does not list AUTH_SUCCESS as an allowed event for the session command. The lists of allowed events are currently one of the biggest weaknesses of the iRules wiki; I can assure you that we're working on it. Please also know that the session command is allowed in the AUTH_SUCCESS event, as well as most others.
The most common reason for the "Prerequisite operation not in progress" error when using the session or persist commands is that you don't have a default pool defined. By default, persist and session records are tied to a pool, so if you don't currently have one then you get that error (but it may happen in other ways too; this is just the most common). So, either assign a default pool, or specify that the record should not be tied to a pool (via the "any virtual" option), and that should fix the error.
