07-Aug-2020 10:21
Hi,
Created the following iRule to log the TLS ver info and HTTP Host and URI Details.
==========================================
when CLIENTSSL_HANDSHAKE {
if { [SSL::cipher version] == 1.0 || [SSL::cipher version] == 1.1 || [SSL::cipher version] == 1.2 }{
set FLAG 1
set TLS-VER [SSL::cipher version]
}
}
when HTTP_REQUEST {
if { $FLAG } {
set VIP [IP::local_addr]:[TCP::local_port]
set CLIENT [IP::client_addr]:[TCP::client_port]
set URL [HTTP::host][HTTP::uri]
log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"
}
}
=================================================
When the iRule is executed it throws the following error message in /var/log/ltm
- can't read "FLAG": no such variable while executing "if { $FLAG } { set VIP [IP::local_addr]:[TCP::local_port] set CLIENT [IP::client_addr]:[TCP::client_port] set URL [HTTP::host]..."
=============================================================
FLAG variable is created in SSL Client Handshake Event and that's passed over to HTTP Request event but i m not sure why it says no variable called FLAG.
Could you please help me in executing this iRule correctly
Thanks,
Yugandhar.
07-Aug-2020 14:14
Hi Yugandhar,
[SSL::cipher version] : Returns the current SSL cipher version using the format of the OpenSSL SSL_CIPHER_get_version() function (e.g. “SSLv2”, “SSLv3”, “TLSv1”, “TLSv1.1”, “TLSv1.2”).
REF: https://clouddocs.f5.com/api/irules/SSL__cipher.html
when CLIENTSSL_HANDSHAKE {
if { [SSL::cipher version] equals "TLSv1" || [SSL::cipher version] equals "TLSv1.1" || [SSL::cipher version] equals "TLSv1.2" }{
set FLAG 1
set TLS-VER [SSL::cipher version]
}
else {
set FLAG 0
}
}
when HTTP_REQUEST {
if { $FLAG } {
set VIP [IP::local_addr]:[TCP::local_port]
set CLIENT [IP::client_addr]:[TCP::client_port]
set URL [HTTP::host][HTTP::uri]
log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"
}
}
You don't need CLIENTSSL_HANDSHAKE event in iRule:
when HTTP_REQUEST {
set TLS-VER [SSL::cipher version]
set VIP [IP::local_addr]:[TCP::local_port]
set CLIENT [IP::client_addr]:[TCP::client_port]
set URL [HTTP::host][HTTP::uri]
log local0. "Client ($CLIENT) connected to the VIP ($VIP) for $URL using $TLS-VER"
}