Forum Discussion

What_Lies_Benea's avatar
What_Lies_Benea
Icon for Altostratus rankAltostratus
Nov 14, 2013

HTTP::respond Command in the CLIENTSSL_HANDSHAKE Event

Hi all,

I'm trying to use this

HTTP::respond 302 Location "http://google.co.uk/"
under the CLIENTSSL_HANDSHAKE event but keep getting this error;

 - Illegal argument. Can't execute in the current context. (line 11) invoked from within "HTTP::respond 302 Location "http://google.co.uk/""

I'm running VE, v11.3.0 Build 3138.0. No other rules are applied to the Virtual Server. I'm not using any other ::respond or ::redirect commands anywhere within what is probably a 150 line or so irule also using the AUTH_RESULT and CLIENT_ACCEPTED events.

The wiki doesn't list CLIENTSSL_HANDSHAKE as a valid event for the HTTP::respond command but this article suggests it's allowed from v10.1: https://devcentral.f5.com/wiki/iRules.Client-Cert-Request-by-URI-with-OCSP-Checking-v10-1.ashx.

Any help gratefully appreciated. Thanks.

4 Replies

  • Just a stretch here, but if it is or was allowed, it probably shouldn't be. The CLIENTSSL_HANDSHAKE command should be triggering at the completion of the SSL handshake (layers 5/6) and before the HTTP HUD filter kicks in (layer 7). I would probably assign a local variable and pick that up in the HTTP_REQUEST event.

     

  • Hey Kevin,

     

    Understood and that's what I'm doing on an OCSP check but if it's just a case of no client certificate being presented I seem to be out of options. I've tried TCP:: respond without success. I assume SSL::respond will be equally pointless?

     

  • You'll necessarily want to do this in your auth rule, so here's a minor modification that should work for you:

    when CLIENT_ACCEPTED {
        set tmm_auth_ssl_ocsp_sid 0
        set tmm_auth_ssl_ocsp_done 0
    }
    when CLIENTSSL_CLIENTCERT {
        if { [SSL::cert count] > 0 } {
            set tmm_auth_ssl_ocsp_done 0
            if {$tmm_auth_ssl_ocsp_sid == 0} {
                set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
                if {[info exists tmm_auth_subscription]} {
                    AUTH::subscribe $tmm_auth_ssl_ocsp_sid
                }
            }
            AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
            AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
            AUTH::authenticate $tmm_auth_ssl_ocsp_sid
            SSL::handshake hold
        } else {
             no cert
            set NOCERT 1
            SSL::session invalidate
        }
    }
    when CLIENTSSL_HANDSHAKE {
        set tmm_auth_ssl_ocsp_done 1
    }
    when AUTH_RESULT {
        if {[info exists tmm_auth_ssl_ocsp_sid] and ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
            set tmm_auth_status [AUTH::status]
            if {$tmm_auth_status == 0} {
                set tmm_auth_ssl_ocsp_done 1
                SSL::handshake resume
            } elseif {$tmm_auth_status != -1 || $tmm_auth_ssl_ocsp_done == 0} {
                reject
            }
        }
    }
    when HTTP_REQUEST {
        if { [info exists NOCERT] } {
            HTTP::redirect "http://www.yahoo.com"
        }
    }