Forum Discussion
v.10 Command Interoperability
While performing internal testing on some advanced iRules on the newly released v10 platform, we discovered a couple possible scenarios that users should be aware of. Making use of certain commands: ...
Sake_Blok
Nimbostratus
NimbostratusPosted By Colin Walker on 06/04/2009 9:33 AM
This has been fixed in v10.0.1.
Colin
I'm running into a similar issue when upgrading a box to v10.1.0 with an iRule that uses the session table, but none of the listed commands are used. The following is the skeleton of the iRule that I use:
when CLIENTSSL_CLIENTCERT {
set sslcert [SSL::cert 0]
...
log local0. "[IP::client_addr], [X509::subject $sslcert] -> [IP::local_addr]"
if { ... } {
log local0. "...error..."
reject
} else {
set ssl_cache_timeout [PROFILE::clientssl "cache_timeout"]
session add ssl [SSL::sessionid] $sslcert $ssl_cache_timeout
}
}
when HTTP_REQUEST {
set sslcert [session lookup ssl [SSL::sessionid]]
if { $sslcert ne "" } {
HTTP::header remove X-Client-Cert
HTTP::header insert X-Client-Cert [X509::whole $sslcert]
} else {
log local0. "No client certificate in the session table for [IP::client_addr] (SSLid: [SSL::sessionid])"
}
}
There is proper logging of the first log command, no error logging of the second log command so the certificate gets added to the session DB. As there is no logging that there is no Client Certificate in the session table (hence $sslcert is not ""), however, the command "[X509::whole $sslcert]" results in a TCL error.
Is this a known issue with iRules in v10.1.0? Is there a workaround?
Cheers,
Sake
