Forum Discussion

Josiah_46618's avatar
Josiah_46618
Icon for Nimbostratus rankNimbostratus
Feb 07, 2012

SSL events require an SSL profile...

Here is the error I am encountering:

 

 

01070394:3: CLIENTSSL_CLIENTCERT event in rule (Insert_Headers_SSL) requires an associated CLIENTSSL profile on the virtual server (Static_Web).

 

 

I understand why the BIG-IP throws an error as the SSL related events will never fire during a non-SSL connection, but I would imagine that the rule would still work for the HTTP_REQUEST events.

 

 

It would be extremely useful to be able to use one iRule across all my VIPs; I even have a clause in the iRule to check for a clientssl profile before deciding which execution flow to follow.

 

 

Does anyone have any suggestions or workarounds? Having to maintain two iRules is a pain.

 

 

Thanks.

 

Josiah Purtlebaugh

 

application delivery
dev
devops
iRules
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Feb 07, 2012
    Two possibilities:

     

     

    1) Split your iRule into two (this doesn't mean you have to maintain two copies of the same/similar iRules). Have one iRule with just the HTTP-only parts and a second with just the SSL parts. For non-SSL vips, just apply the first iRule, and for SSL vips apply both iRules.

     

     

    2) Stuff the SSL commands into a variable, and then use "eval" on that variable. That will hide them from the validation code. Of course, you'll still need to check for an SSL profile, otherwise those commands will error out. There should be several examples of this somewhere in the codeshare. I thought the proxypass iRule did this? Can't remember exactly.