Forum Discussion

Cisco2F5_16233's avatar
Cisco2F5_16233
Icon for Nimbostratus rankNimbostratus
Jan 05, 2012

iRule /SSL Profile Issue

Basically I have Web facing VIP with a real world IP for some of our HTTPS transactions because of this we use an auto SNAT. What we are seeing is when our vendors make a connection we separate their transactions by source IPs. i.e Vendor A comes in with 1.1.1.1 and replace the NETWORK_ALIAS with 1.1.1.1. What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP. In addition in our SSL profile we require Client Authentication Client Certificate and the frequency set at once..I have a feeling this might be the issue but I’m unsure. And I was told if we changed frequency to always than the iRule would need to be re done… below is the iRule

 

 

when CLIENTSSL_CLIENTCERT {

 

set cert [SSL::cert 0]

 

set clientip [IP::remote_addr]

 

if { $cert ne ""} {

 

log local0. "iRULE:ClientIP:$clientip | Status: Cert Sent"

 

set hash [X509::hash $cert]

 

session add ssl [SSL::sessionid] $cert 180

 

} else {

 

log local0. "iRULE:ClientIP:$clientip | Status: No Cert"

 

reject

 

return

 

}

 

}

 

when HTTP_REQUEST {

 

if { [info exists hash] } {

 

HTTP::header replace NETWORK_ALIAS $hash

 

log local0. "iRULE:Inserting HTTP header client $clientip Cert Hash: $hash"

 

}

 

}

 

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 05, 2012
    What it happening is about half the 1.1.1.1 get replaced with the F5 Self IP.could you please explain a little bit more? how do you know 1.1.1.1 gets replaced with selfip? is it from log command in HTTP_REQUEST or from NETWORK_ALIAS header's hash value?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 05, 2012
    With your current iRule, the header will only get inserted on HTTP requests where the client presented the cert. If the client opens a new connection and resumes the existing SSL session, you wouldn't get the cert details inserted.

     

     

    You could either change the cert frequency to always or modify the iRule to read the session table entry in HTTP_REQUEST. I've added some functionality to check the client's cert against the trusted CA bundle configured in the client SSL profile. I also added some options for handling when the client's resumed session does not exist in TMM's cache. Here's an untested example:

     

     

    
when RULE_INIT {
 Log debug messages to /var/log/ltm? 1=yes, 0=no
set static::cert_debug 1
}
when CLIENTSSL_CLIENTCERT {

 Check if the client presented a cert
if { [SSL::cert count] == 0 } {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No cert. Rejecting."}

 Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject

} else {
 Check if client cert validates against TMMs trusted CA cert bundle
 SSL status code defined here: http://www.openssl.org/docs/apps/verify.htmlDIAGNOSTICS
if { [SSL::verify_result] != 0 }{

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Bad cert - [X509::verify_cert_error_string [SSL::verify_result]]"}

 Remove the SSL session ID from the cache and reset the connection
SSL::session invalidate
reject
}
}
}
when HTTP_REQUEST {

 Check if the client SSL session ID and cert exist in the TMM cache
if { [SSL::sessionid] ne "" and [SSL::cert 0] ne ""}{

HTTP::header replace NETWORK_ALIAS [X509::hash [SSL::cert 0]]
if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Inserting cert hash: [X509::hash [SSL::cert 0]]"}

} else {

if {$static::cert_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Invalid client SSL session ID or cert."}

 Send a TCP reset
reject

 Or send an HTTP response?
HTTP::respond 403 content {You must supply a client cert}

 Or renegotiate the handshake to request a client cert?

 Force renegotiation of the SSL connection with a cert requested
 Hold the HTTP request until the SSL re-negotiation is complete
HTTP::collect; Need to call HTTP::release in CLIENTSSL_CLIENTCERT if a cert is presented
SSL::session invalidate
SSL::authenticate always
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate
}
}

     

     

    Aaron