Forum Discussion

BEdmunds_8904's avatar
BEdmunds_8904
Icon for Nimbostratus rankNimbostratus
Jun 19, 2012

Logging SSL Renegotiations

Hi All,

 

 

So I am a complete newb to both F5 and iRules, I've got older version of LTM, 9.4.8 w/ HF 4. We are looking to upgrade and in particular to fix the CVE-2009-3555 vulnerability. Before doing so, we want to gauge the impact to our partners, so I'd like to log all SSL renegotiation handshakes.

 

 

Borrowing from the work of Lupo in https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/86456/showtab/groupforums/Default.aspx, it looks like I could do the same, just leave off the close command.

 

 

So I end up with:

 

 

when CLIENT_ACCEPTED {

 

initialize TLS/SSL handshake count for this connection

 

set sslhandshakecount 0

 

}

 

 

if you have lower priority iRules on the CLIENTSSL_HANDSHAKE event, you have to make sure, that they don't interfere with this iRule

 

when CLIENTSSL_HANDSHAKE priority 100 {

 

a handshake just occurred

 

incr sslhandshakecount

 

 

is this the first handshake in this connection?

 

if { $sslhandshakecount != 1 } {

 

log (rate limited) the event (to /var/log/tmm)

 

log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred"

 

}

 

}

 

 

 

Any thoughts or improvements? Is this the right approach?

 

I have opened a case with support too, Case C1141780

 

 

thanks for reading.

 

2 Replies

  • Hi,

     

     

    Yes, that looks like a sound approach if you just want to log renegotiations.

     

     

    The log output will get written to /var/log/ltm as opposed to the comments showing /var/log/tmm.

     

     

    Aaron