For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Sep 15, 2006

SSL ClientCert check

We are trying to build an iRule to check if an SSL client cert is valid, and I used the iRule from Wikis (list below), but when I try to connect the /var/log/ltm gives me the following error:

 

 

Sep 15 13:44:46 tmm tmm[723]: 01220001:3: TCL error: Rule pok - Prerequisite operation not in progress (line 1) invoked from within "session add ssl [SSL::sessionid] $ssl_stuff 180"

 

Sep 15 13:44:46 tmm tmm[723]: 01220001:3: TCL error: Rule pok - Prerequisite operation not in progress (line 6) invoked from within "session lookup ssl [SSL::sessionid]"

 

 

What is wrong about this iRule?

 

I'am running version 9.1.2 on a 3400LTM

 

 

Below the iRule from Wikis

 

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_stuff [list anything1 anything2]

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

lset ssl_stuff 0 $ssl_cert

 

lset ssl_stuff 1 $ssl_errstr

 

session add ssl [SSL::sessionid] $ssl_stuff 180

 

}

 

 

when HTTP_REQUEST {

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

if { $ssl_errstr2 eq "ok" } {

 

HTTP::header insert SSLClientCertStatus $ssl_errstr2

 

HTTP::header insert SSLClientCertSN [X509::serial_number $ssl_cert2]

 

} else {

 

HTTP::redirect http://192.168.0.64/error.html

 

}

 

}

 

 

application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2006
    Hi Nuno,

     

     

    I tried searching devcentral and internally, but haven't found anything clear on this error.

     

     

    Do you see it happen on every request? Can you add logging to the rule to see what the variables are set to when it errs?

     

     

    Do you have other rules attached to the same VIP?

     

     

    Aaron
  • Randy_Abrams's avatar
    Randy_Abrams
    Icon for Nimbostratus rankNimbostratus
    May 05, 2008
    I get the same error (9.3.1 HF2). Very frustrating. The documentation indicates that an AUTH_SUCCESS event does not allow a "session" command. Seems like an iRule that is presented as a contest winner should just work.
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    May 06, 2008
    I see that the documentation indeed does not list AUTH_SUCCESS as an allowed event for the session command. The lists of allowed events are currently one of the biggest weaknesses of the iRules wiki; I can assure you that we're working on it. Please also know that the session command is allowed in the AUTH_SUCCESS event, as well as most others.

     

     

    The most common reason for the "Prerequisite operation not in progress" error when using the session or persist commands is that you don't have a default pool defined. By default, persist and session records are tied to a pool, so if you don't currently have one then you get that error (but it may happen in other ways too; this is just the most common). So, either assign a default pool, or specify that the record should not be tied to a pool (via the "any virtual" option), and that should fix the error.