Forum Discussion
Hille_de_Graaf_
Nimbostratus
NimbostratusTCL error on SSL certificate
We have the following situation:
A LTM3400, a VS for SSL-offloading, and client_certificates for strong authentication. The client_certificates are also checked using a Certificate Revocation List (CRL).
on the LTM we check if a client_cert has the status "ok", if that's the fact than we also insert certain client_certificate values in the http-header (subject and serial). If the client_cert status is not equal to "ok" (empty of another value) than we redirect the client towards an error-page.
The iRule that we use is as follows:
iRule_name: cert_portal_apps
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set status [X509::verify_cert_error_string [SSL::verify_result]]
set subject [X509::subject $cert]
set serial [X509::serial_number $cert]
set values [list $cert $status $subject $serial]
session add ssl [SSL::sessionid] $values 3600
log local0. "ClientSSl_Client handshake status: $status"
}
when HTTP_REQUEST {
set values [session lookup ssl [SSL::sessionid]]
if { [lindex $values 1] equals "ok" } {
log local0. "The client_cert status is: [lindex $values 1]"
log local0. "The client_cert subject is: [lindex $values 2]"
log local0. "The client_cert serial is: [lindex $values 3]"
HTTP::header insert ClientSSL_subject [lindex $values 2]
HTTP::header insert ClientSSL_serial [lindex $values 3]
pool Portal-apps
HTTP::header remove "If-Modified-Since"
} elseif { [lindex $values 1] equals "" } {
log local0. "no client_certificate"
HTTP::redirect "https://nocertserver/errors/nocert.htm"
} else {
log local0. "cert error or wrong client_certificate: [lindex $values 1]"
HTTP::redirect "https://errorcertserver/errors/cert_error.htm"
}
}
We tested it on wednesdayevening and it looked allright. So on thursday our clients would connect through the LTM to our portal. But in the morning we got complaints that random users could not access the portal. We had to go back to the old Bigip2000's.
When we looked in de /var/log/ltm on the LTM we see the following messages:
Dec 20 08:11:30 tmm tmm[1472]: 01220001:3: TCL error: Rule cert_portal_apps - while executing "X509::subject $cert"
Dec 20 09:01:01 tmm tmm[1472]: 01220001:3: TCL error: Rule cert_portal_apps - while executing "X509::subject $cert"
Dec 20 09:11:27 tmm tmm[1472]: 01220001:3: TCL error: Rule cert_portal_apps - while executing "X509::subject $cert"
Dec 20 09:15:27 tmm tmm[1472]: 01220001:3: TCL error: Rule cert_portal_apps - while executing "X509::subject $cert"
Dec 20 09:21:51 tmm tmm[1472]: 01260008:3: SSL transaction (TPS) rate limit reached
Dec 20 09:24:26 tmm tmm[1472]: 01220001:3: TCL error: Rule cert_portal_apps - while executing "X509::subject $cert"
Has anyone an idea what could be wrong?
Could it be the iRule?
Could it be because we reached the TPS rate limit? (we have a license for 200 TPS, the highest TPS count was 127)
The load on the LTM was normal
Throughput was about 20-25 Mbps
3 Replies
hoolioCirrostratus
There have been a couple of posts with this error:
TCL error: Rule Client_cert_in_HTTP_Header2 - while executing "X509::whole $c_cert" (Click here)
how to pass variables (Click here)
Neither have a definitive answer. If no one else has more info on the error, you could open a case with F5 support on the error. If you do and get more information, can you reply here?
Thanks,
Aaron
John_83698I can't see why the LTM would be produce "RANDOM" results, unless there were something different about the clients. Are we sure that everybody's cert is good?
We get that error all the time during login, when the users log on to our legacy portal site without the cert. We know our site monitor creates the error as well. So TCL error: Rule www_443_v4 - while executing "X509::subject $cert" ...is a false error for us.- hoolioAfter doing some testing related to this, I think the issue is CLIENTSSL_CLIENTCERT is triggered whenever the client responds after LTM requests a client cert whether the client presents a cert or not. So you could add a check to see if SSL::cert count is greater than 0 before assuming SSL::cert 0 references a cert.
Aaron
