For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

XS_68901's avatar
XS_68901
Icon for Nimbostratus rankNimbostratus
Nov 10, 2011

TCL error in X509:whole

Hello! Everyone.     Do you have any ideas to solve this error?   I try to write an iRule. like this.   ============================================================   when CLIENTSSL...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Nov 10, 2011

sol11479: If the session iRule command is used to add binary data to the session table, the data will be corrupted

 

http://support.f5.com/kb/en-us/solu...11479.html

 

 

[root@ve1023:Active] config b virtual bar list

 

virtual bar {

 

snat automap

 

pool foo

 

destination 172.28.65.152:https

 

ip protocol tcp

 

rules myrule

 

profiles {

 

http {}

 

myclientssl {

 

clientside

 

}

 

tcp {}

 

}

 

}

 

[root@ve1023:Active] config b profile myclientssl list

 

profile clientssl myclientssl {

 

defaults from clientssl

 

ca file "ca.crt"

 

peer cert mode require

 

}

 

[root@ve1023:Active] config b rule myrule list

 

rule myrule {

 

when CLIENTSSL_HANDSHAKE {

 

log local0. "sessionid = [SSL::sessionid]"

 

log local0. "client cert = [X509::whole [SSL::cert 0]]"

 

if {[session lookup ssl [SSL::sessionid]] eq ""} {

 

session add ssl [SSL::sessionid] [b64encode [SSL::cert 0]] 180

 

}

 

}

 

when HTTP_REQUEST {

 

log local0. "sessionid = [SSL::sessionid]"

 

if {[session lookup ssl [SSL::sessionid]] ne ""} {

 

log local0. "client cert = [X509::whole [b64decode [session lookup ssl [SSL::sessionid]]]]"

 

regsub -all "\n" [X509::whole [b64decode [session lookup ssl [SSL::sessionid]]]] "" client_cert_insert

 

log local0. "client_cert_insert = $client_cert_insert"

 

HTTP::header insert SSL_CLIENT_CERTIFICATE $client_cert_insert

 

}

 

}

 

}

 

 

[root@ve1023:Active] config curl -Ik https://172.28.65.152 --cert /var/tmp/temp/ca/client.crt --key /var/tmp/temp/ca/client.key

 

HTTP/1.1 200 OK

 

Date: Thu, 10 Nov 2011 08:59:31 GMT

 

Server: Apache/2.2.3 (CentOS)

 

Last-Modified: Tue, 08 Nov 2011 12:54:37 GMT

 

ETag: "4183c9-30-ac7cfd40"

 

Accept-Ranges: bytes

 

Content-Length: 48

 

Connection: close

 

Content-Type: text/html; charset=UTF-8

 

[root@ve1023:Active] config cat /var/log/ltm

 

Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : sessionid = 854d7777d844dc1aa3756d51174e92cb3c13a7ce91d6e3dd471ae34dc2a528f3

 

Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client cert = -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czEL MAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQsw CQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0Mjkw NVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAw DgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAX BgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+ oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1i tIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkX DfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXh bxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtG Suly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWG HB0xNIFIvtpPOjANBgkqh

 

Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : sessionid = 854d7777d844dc1aa3756d51174e92cb3c13a7ce91d6e3dd471ae34dc2a528f3

 

Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client cert = -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czEL MAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQsw CQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0Mjkw NVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAw DgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAX BgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+ oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1i tIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkX DfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXh bxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtG Suly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWG HB0xNIFIvtpPOjANBgkqhkiG9w0B

 

Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client_cert_insert = -----BEGIN CERTIFICATE-----MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czELMAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQswCQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0MjkwNVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAwDgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAXBgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1itIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkXDfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXhbxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtGSuly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWGHB0xNIFIvtpPOjANBgkqhkiG9w0BAQUFAAOC