Forum Discussion

Yugandhar's avatar
Yugandhar
Icon for Nimbostratus rankNimbostratus
Aug 07, 2020

iRule to Log TLS Version and HTTP Host and URI

Hi,

 

Created the following iRule to log the TLS ver info and HTTP Host and URI Details.

 

==========================================

when CLIENTSSL_HANDSHAKE {

 

           if { [SSL::cipher version] == 1.0 || [SSL::cipher version] == 1.1 || [SSL::cipher version] == 1.2 }{

 

set FLAG 1

 

            set TLS-VER [SSL::cipher version]

 

           }

}

 

when HTTP_REQUEST {

 

           if { $FLAG } {

 

           set VIP [IP::local_addr]:[TCP::local_port]

 

         set CLIENT [IP::client_addr]:[TCP::client_port]

 

         set URL [HTTP::host][HTTP::uri]

 

         log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"

 

           }

}

 

=================================================

 

When the iRule is executed it throws the following error message in /var/log/ltm

 

- can't read "FLAG": no such variable    while executing "if { $FLAG } {                                  set VIP [IP::local_addr]:[TCP::local_port]                        set CLIENT [IP::client_addr]:[TCP::client_port]                        set URL [HTTP::host]..."

 

=============================================================

 

FLAG variable is created in SSL Client Handshake Event and that's passed over to HTTP Request event but i m not sure why it says no variable called FLAG.

 

 

Could you please help me in executing this iRule correctly

 

Thanks,

Yugandhar.

 

 

1 Reply

  • Hi Yugandhar,

    [SSL::cipher version] : Returns the current SSL cipher version using the format of the OpenSSL SSL_CIPHER_get_version() function (e.g. “SSLv2”, “SSLv3”, “TLSv1”, “TLSv1.1”, “TLSv1.2”).

    REF: https://clouddocs.f5.com/api/irules/SSL__cipher.html

    when CLIENTSSL_HANDSHAKE {
    	if { [SSL::cipher version] equals "TLSv1" || [SSL::cipher version] equals "TLSv1.1" || [SSL::cipher version] equals "TLSv1.2" }{
    		set FLAG 1
    		set TLS-VER [SSL::cipher version]
    	}
    	else {
    		set FLAG 0
    	}
    }
     
    when HTTP_REQUEST {
    	if { $FLAG } {
    		set VIP [IP::local_addr]:[TCP::local_port]
    		set CLIENT [IP::client_addr]:[TCP::client_port]
    		set URL [HTTP::host][HTTP::uri]
    		log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"
    	}
    }

    You don't need CLIENTSSL_HANDSHAKE event in iRule:

    when HTTP_REQUEST {
    	set TLS-VER [SSL::cipher version]
    	set VIP [IP::local_addr]:[TCP::local_port]
    	set CLIENT [IP::client_addr]:[TCP::client_port]
    	set URL [HTTP::host][HTTP::uri]
    	log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"
    }