TCL error in X509:whole

Question

Hello! Everyone. &nbsp;
&nbsp;Do you have any ideas to solve this error? 
&nbsp;I try to write an iRule. like this. 
&nbsp;============================================================ 
&nbsp;when CLIENTSSL_HANDSHAKE { 
&nbsp;   set ssl_cert [SSL::cert 0] 
&nbsp;   log local0. [SSL::cert 0] 
&nbsp;   if { [ session lookup ssl [SSL::sessionid]] eq "" }  { 
&nbsp;      session add ssl [SSL::sessionid] $ssl_cert 180 log local0. [SSL::sessionid] 
&nbsp;   } 
&nbsp;} 
&nbsp;when HTTP_REQUEST { 
&nbsp;   if { [session lookup ssl [SSL::sessionid]] ne "" } { 
&nbsp;      log local0. "1111" 
&nbsp;      set client_cert [X509::whole [session lookup ssl [SSL::sessionid]]] 
&nbsp;      log local0. [SSL::sessionid] 
&nbsp;      regsub -all "
" $client_cert "" client_cert_insert 
&nbsp;      HTTP::header insert SSL_CLIENT_CERTIFICATE $client_cert_insert 
&nbsp;      log local0. "client_cert_insert = $client_cert_insert" 
&nbsp;   }
&nbsp;============================================================
&nbsp; 
&nbsp;But I got the following error. ============================================================ 
&nbsp;Nov 10 12:37:23 local/tmm1 err tmm1[4914]: 01220001:3: TCL error: testtest - while executing "X509::whole [session lookup ssl [SSL::sessionid]]" ============================================================ 
&nbsp;Thanks in Advance!

nitass · Answer

sol11479: If the session iRule command is used to add binary data to the session table, the data will be corrupted &nbsp;http://support.f5.com/kb/en-us/solu...11479.html&nbsp;
&nbsp;[root@ve1023:Active] config  b virtual bar list
&nbsp;virtual bar {
&nbsp;   snat automap
&nbsp;   pool foo
&nbsp;   destination 172.28.65.152:https
&nbsp;   ip protocol tcp
&nbsp;   rules myrule
&nbsp;   profiles {
&nbsp;      http {}
&nbsp;      myclientssl {
&nbsp;         clientside
&nbsp;      }
&nbsp;      tcp {}
&nbsp;   }
&nbsp;}
&nbsp;[root@ve1023:Active] config  b profile myclientssl list
&nbsp;profile clientssl myclientssl {
&nbsp;   defaults from clientssl
&nbsp;   ca file "ca.crt"
&nbsp;   peer cert mode require
&nbsp;}
&nbsp;[root@ve1023:Active] config  b rule myrule list
&nbsp;rule myrule {
&nbsp;   when CLIENTSSL_HANDSHAKE {
&nbsp;       log local0. "sessionid = [SSL::sessionid]"
&nbsp;       log local0. "client cert = [X509::whole [SSL::cert 0]]"&nbsp;
       if {[session lookup ssl [SSL::sessionid]] eq ""} {
&nbsp;        session add ssl [SSL::sessionid] [b64encode [SSL::cert 0]] 180
&nbsp;       }
&nbsp;}&nbsp;
when HTTP_REQUEST {
&nbsp;       log local0. "sessionid = [SSL::sessionid]"&nbsp;
       if {[session lookup ssl [SSL::sessionid]] ne ""} {
&nbsp;        log local0. "client cert = [X509::whole [b64decode [session lookup ssl [SSL::sessionid]]]]"
&nbsp;        regsub -all "
" [X509::whole [b64decode [session lookup ssl [SSL::sessionid]]]] "" client_cert_insert&nbsp;
        log local0. "client_cert_insert = $client_cert_insert"
&nbsp;        HTTP::header insert SSL_CLIENT_CERTIFICATE $client_cert_insert
&nbsp;       }
&nbsp;}
&nbsp;}&nbsp;
&nbsp;[root@ve1023:Active] config  curl -Ik https://172.28.65.152 --cert /var/tmp/temp/ca/client.crt --key /var/tmp/temp/ca/client.key
&nbsp;HTTP/1.1 200 OK
&nbsp;Date: Thu, 10 Nov 2011 08:59:31 GMT
&nbsp;Server: Apache/2.2.3 (CentOS)
&nbsp;Last-Modified: Tue, 08 Nov 2011 12:54:37 GMT
&nbsp;ETag: "4183c9-30-ac7cfd40"
&nbsp;Accept-Ranges: bytes
&nbsp;Content-Length: 48
&nbsp;Connection: close
&nbsp;Content-Type: text/html; charset=UTF-8&nbsp;
[root@ve1023:Active] config  cat /var/log/ltm
&nbsp;Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : sessionid = 854d7777d844dc1aa3756d51174e92cb3c13a7ce91d6e3dd471ae34dc2a528f3
&nbsp;Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client cert = -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czEL MAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQsw CQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0Mjkw NVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAw DgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAX BgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+ oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1i tIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkX DfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXh bxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtG Suly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWG HB0xNIFIvtpPOjANBgkqh
&nbsp;Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : sessionid = 854d7777d844dc1aa3756d51174e92cb3c13a7ce91d6e3dd471ae34dc2a528f3
&nbsp;Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client cert = -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czEL MAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQsw CQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0Mjkw NVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAw DgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAX BgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+ oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1i tIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkX DfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXh bxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtG Suly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJ YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud DgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWG HB0xNIFIvtpPOjANBgkqhkiG9w0B
&nbsp;Nov 10 00:59:17 local/tmm info tmm[4766]: Rule myrule : client_cert_insert = -----BEGIN CERTIFICATE-----MIIDujCCAqKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJ1czELMAkGA1UECBMCd2ExEDAOBgNVBAcTB3NlYXR0bGUxDjAMBgNVBAoTBWY1bmV0MQswCQYDVQQLEwJwczEVMBMGA1UEAxMMY2EuZjVuZXQuY29tMB4XDTExMTAxMDE0MjkwNVoXDTEyMTAwOTE0MjkwNVowZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAndhMRAwDgYDVQQHEwdzZWF0dGxlMQ4wDAYDVQQKEwVmNW5ldDELMAkGA1UECxMCcHMxGTAXBgNVBAMTEGNsaWVudC5mNW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChVkX+nkUAijf3Wo66w28PqLwrc+72h9LNScP7lFJ7nUqPSdfMRvY+oGh8kEwR/FZVbGmzcd947kZuE4PowVwY4ULUB46/2wcGsYLFar+BXALqOtOBnf1itIYB4lQhDs0ptRYV3EAh5lIeVcLMIAjIMruGnBK4w9kTvyWhHcTppz7Rjk/kMQkXDfxPUogYJ6rBK/Y3WO8j/KuNhenT3yVWyJH2hqoQV9H9Hpq69JPc0EHIuRTSexXhbxeJrbQPfru9lftcsVW3AwUIfM9L7DRfYHpdrdE2A52nuEm6dZsabl3JYZH02JtGSuly1SnFsL/61t/kGjcN+5BETdt8pjSZAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT/hZibzImAU/yPcC/BVXR612zSkTAfBgNVHSMEGDAWgBRR68sD4lIUjXWGHB0xNIFIvtpPOjANBgkqhkiG9w0BAQUFAAOC&nbsp;&nbsp;

Forum Discussion

TCL error in X509:whole

1 Reply

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

K23237429: TCL error: ERR_NOT_SUPPORTED after upgrade to version 14.1.0 or later

TCL errors

F5 Policy using replace with TCL

F5 Automation - TCL & Bash

Insufficient permissions BIG-IQ login error