Forum Discussion

TLL_91858's avatar
TLL_91858
Icon for Cirrus rankCirrus
Dec 14, 2012

Error in iRule when invoking HTTP::release

I was running V10.2.4 HF3 and have upgraded to V11.2.1 HF1. I now have this iRule that won't run. It gives the following error:

 

- Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::release"

 

The purpose of the rule is to force clients who access a particular uri to change client cert from required to request in support of an old legacy java application. Any ideas why the http::release is no longer working would be apreciated.

 

 

when CLIENT_ACCEPTED {

 

set LogDebug 1

 

set session_flag 0

 

if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" } }

 

when CLIENTSSL_HANDSHAKE {

 

set LogDebug 1

 

if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }

 

if { [SSL::cert count] > 0 } {

 

if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }

 

if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }

 

HTTP::release

 

} else {

 

if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }

 

}

 

}

 

when HTTP_REQUEST {

 

set LogDebug 1

 

if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {

 

if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }

 

if { [SSL::cert count] == 0 } {

 

if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }

 

HTTP::collect

 

SSL::authenticate once

 

SSL::authenticate depth 9

 

SSL::cert mode require

 

log local0.info "HTTP_REQUEST: when http request,now renegotiating"

 

set session_flag 1

 

SSL::renegotiate

 

} else {

 

if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }

 

}

 

}

 

log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"

 

}

 

application delivery
dev
devops
iRules

8 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2012
    I don't think the HTTP::release is required in the CLIENTSSL_HANDSHAKE event at all, seeing as you don't start collecting till after SSL has done it's thing. The error has probably occurred due to better syntax checking in v11. However, I'd suggest you add it as the last line of your rule (although a response will have the same affect.)
  • Frank_30530's avatar
    Frank_30530
    Icon for Altocumulus rankAltocumulus
    Jan 17, 2013

    I have the same issue here.

     

    According to the Wiki, there MUST be an HTTP::release executed in some non-HTTP event to prevent the HTTP to stall indefinitely:

     

    see HTTP::collect:

     

    Also, if you use HTTP::collect without specifying a length, you must have some non-HTTP event (e.g. AUTH_RESULT or NAME_RESOLVED) run HTTP::release, or HTTP processing will not continue, and the collected data will be discarded when the connection times out.

     

    How would you do this in an iRule that needs to force an SSL renegotiation (e.g., in order to obtain a client certificate?)

     

    -Frank

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 17, 2013
    i got the same error in 11.3.0.

     

     

    can you open a support case to verify and get fixed?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2013
    If you comment out the HTTP::release does it work or just stall after the HTTP::collect?

     

     

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 19, 2013
    hmm... i do not get the error when re-testing today. (= =*) 

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.3.0
  Build    2806.0
  Edition  Final
  Date     Tue Nov 13 22:34:00 PST 2012

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.14:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        myclientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
    app-service none
    ca-file ca.crt
    defaults-from clientssl
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  set LogDebug 1
  set session_flag 0
  if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" }
}

when CLIENTSSL_HANDSHAKE {
  set LogDebug 1
  if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }
  if { [SSL::cert count] > 0 } {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }
    HTTP::release
  } else {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }
  }
}

when HTTP_REQUEST {
  set LogDebug 1
  if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {
    if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }
    if { [SSL::cert count] == 0 } {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }
      HTTP::collect
      SSL::authenticate once
      SSL::authenticate depth 9
      SSL::cert mode require
      log local0.info "HTTP_REQUEST: when http request,now renegotiating"
      set session_flag 1
      SSL::renegotiate
    } else {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }
    }
  }
  log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"
}
}

 client

[root@centos251 ca] curl -Ik https://172.28.20.14/mis --cert client1.crt --key client1.key
HTTP/1.1 404 Not Found
Date: Sat, 19 Jan 2013 14:35:38 GMT
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=iso-8859-1

 ltm log

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect
Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating
Jan 19 22:03:23 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1
Jan 19 22:03:23 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1
  • Frank_30530's avatar
    Frank_30530
    Icon for Altocumulus rankAltocumulus
    Jan 21, 2013

    I think I found it.

     

    Apparently, if you actually check if HTTP::collect has been executed before executing HTTP::release, then it works OK.

     

    If you execute HTTP::release and no (previous) HTTP::collect is pending, then you will get the error. Previous versions of TMOS were not so picky?

     

    I set a variable to true ($collecting) at HTTP::collect and verify if $collecting is true before I do the HTTP::release in CLIENTSSL_HANDSHAKE.

     

    With best regards,

     

    -Frank

     

  • Frank_30530's avatar
    Frank_30530
    Icon for Altocumulus rankAltocumulus
    Jan 21, 2013
    @Nitass: I.e., your code will work with a single CURL request. You run into problems when you start a new TCP connection using the same SSL session where previously a client certificate was send. In that case your code will execute HTTP::release while no previous HTTP::collect was executed.

     

     

    Can you verify?

     

     

    -Frank
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 21, 2013
    your code will work with a single CURL request.oh yes. thanks, i was blur.

     

     

    You run into problems when you start a new TCP connection using the same SSL session where previously a client certificate was send. In that case your code will execute HTTP::release while no previous HTTP::collect was executed. not sure if i did anything wrong. SSL::cert count is still 0 even using previous ssl session id.

     

     

    [root@ve11a:Active:Changes Pending] config  tmsh list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  set LogDebug 1
  set session_flag 0
  log local0. "-"
  log local0. "client [IP::client_addr]:[TCP::client_port]"
  if { $LogDebug == 1 } { log local0.warn "CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is $session_flag" }
}

when CLIENTSSL_HANDSHAKE {
  set LogDebug 1
  log local0. "sessionid [SSL::sessionid]"
  if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: cert count=[SSL::cert count]" }
  if { [SSL::cert count] > 0 } {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is [SSL::cert count]" }
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: Session flag is $session_flag" }
    log local0. "HTTP::release"
    HTTP::release
  } else {
    if { $LogDebug == 1 } { log local0.warn "CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass" }
  }
}

when HTTP_REQUEST {
  set LogDebug 1
  if { [string tolower [HTTP::uri]] equals "/mis" || [string tolower [HTTP::uri]] equals "/missd" || [string tolower [HTTP::uri]] equals "/mat" } {
    if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: Requiring certificate...and the request uri is :[HTTP::uri]" }
    if { [SSL::cert count] == 0 } {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: when http request,ssl cert count is 0,now http collect" }
      HTTP::collect
      SSL::authenticate once
      SSL::authenticate depth 9
      SSL::cert mode require
      log local0.info "HTTP_REQUEST: when http request,now renegotiating"
      set session_flag 1
      SSL::renegotiate
    } else {
      if { $LogDebug == 1 } { log local0.warn "HTTP_REQUEST: No cert needed,to server directly, and the uri is [HTTP::uri]" }
    }
  }
  log local0.info "HTTP_REQUEST: Session_flag at end of http_request is $session_flag"
}
}

 client monitor 1

 echo -e "GET /mis HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -cert /var/tmp/client1.crt -key /var/tmp/client1.key -quiet -sess_out /var/tmp/new.sess
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain
verify return:1
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2013 13:34:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 21 Jan 2013 13:14:42 GMT
ETag: "418411-59-3e7cd480"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8




This is 101 host.



read:errno=0

 client monitor 2

 echo -e "GET / HTTP/1.1\r\nHost:\r\n\r\n"| openssl s_client -connect 172.28.20.14:443 -quiet -sess_in /var/tmp/new.sess
HTTP/1.1 200 OK
Date: Mon, 21 Jan 2013 13:34:27 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8




This is 101 host.



read:errno=0

 /var/log/ltm

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : client 172.28.66.39:51327
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Requiring certificate...and the request uri is :/mis
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,ssl cert count is 0,now http collect
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: when http request,now renegotiating
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 1
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : sessionid 0504475af67bc033c5a00cadc9da6fc0f0c003a482d34cc76edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=1
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake , two way cert found and the cert count is 1
Jan 21 21:02:05 ve11a warning tmm[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: Session flag is 1
Jan 21 21:02:05 ve11a info tmm[11170]: Rule /Common/myrule : HTTP::release
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : client 172.28.66.39:51328
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENT_ACCEPTED: Session_flag at end CLIENT_ACCEPTED is 0
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : sessionid 0504475af67bc03cc5a00cadc9da6fc0f0c003a482d34cc66edf60b30130a50b
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: cert count=0
Jan 21 21:02:05 ve11a warning tmm1[11170]: Rule /Common/myrule : CLIENTSSL_HANDSHAKE: when client handshake,ssl cert count is 0,pass
Jan 21 21:02:05 ve11a info tmm1[11170]: Rule /Common/myrule : HTTP_REQUEST: Session_flag at end of http_request is 0
^C