Ok so I realized my plan was flawed in that, as was pointed out to me above, a client will not present a cert on each and every http request. So, I began going down the road of tracking whether we have validated a cert using the session table. However, I seem to be doing something wrong just adding the session entry. The rule:
when CLIENTSSL_CLIENTCERT {
set id [SSL::sessionid]
session add ssl $id [X509::verify_cert_error_string [SSL::verify_result]] 180
}
when HTTP_REQUEST {
if {[SSL::cert count] == 0} {
reject
} else {
set subject [X509::subject [SSL::cert 0 ]]
if { [matchclass $subject contains $::merlin] } {
use pool test-sun
}
}
}
..Generates the error:
Apr 6 12:01:39 tmm tmm[5569]: 01220001:3: TCL error: Rule test - Prerequisite operation not in progress (line 1) invoked from within "session add ssl $id [X509::verify_cert_error_string [SSL::verify_result]] 180"
..what is the prerequisite operation that is not in progress?