Writing Client-Cert info into Header - irule with strange behavior
Hi,
I have an inherited a BIG-IP and I'm facing a problem with an irule that is implemented there.
The important part is this:
when HTTP_REQUEST priority 200 {
...
create HTTP headers with ssl cert infos
set dn [ X509::issuer $cert ]
Split DN into Parts
set parts [ split $dn {,} ]
Fill array with the different parts (O=, OU=, ...)
foreach part $parts {
set thispart [ split $part {=} ]
if { [ llength $thispart ] == 2 } {
set dnparts([lindex $thispart 0 ]) [ lindex $thispart 1 ]
}
}
Insert the neccessary headers from the DN
HTTP::header insert "SSL_CLIENT_I_DN" $dn
foreach {part myvar} {
{C} {SSL_CLIENT_I_DN_C}
{CN} {SSL_CLIENT_I_DN_CN}
{O} {SSL_CLIENT_I_DN_O}
{OU} {SSL_CLIENT_I_DN_OU}
} {
if { [info exists dnparts($part) ] } {
HTTP::header insert "$myvar" "$dnparts($part)"
}
}
So - the irule should read the issuer information and put it in such a format into HTTP headers:
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN
SSL_CLIENT_I_DN_C: DE SSL_CLIENT_I_DN_CN: Test-CN SSL_CLIENT_I_DN_O: Test-Organisation SSL_CLIENT_I_DN_OU: Test-OUNow the application admin reported, that these headers are not sent properly. I activated a logging irule and I can see that for some requests (it seems the initial ones) the format is OK. But for the requests later, the behavior changes. In the log I can only see the first 2 lines repeating constantly:
SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN
SSL_CLIENT_I_DN_C: DE SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN SSL_CLIENT_I_DN_C: DE SSL_CLIENT_I_DN: C=DE, O=Test-Organisation, OU=Test-OU, CN=Test-CN SSL_CLIENT_I_DN_C: DEAs mentioned, I've inherited this irule from the prior admin and I'm not that deep into TCL. For me, the rule is performed on every HTTP-Request from scratch, so there shouldn't be any difference in the behavior.
Any ideas? 🙂