Forum Discussion

Ian_Johnson_382's avatar
Ian_Johnson_382
Icon for Nimbostratus rankNimbostratus
Sep 25, 2012

iRule not working with SSL profile assign to virtual server

Hi All,

I am using an iRule to direct incoming LDAP requests to servers based on the "CN" string. When I don't have a Client SSL profile assign to the virtual server the rule works fine. With a SSL profile assign the rule does not match on the tcp payload and using tcpdump I do not see any unencrypted traffic leave, just a RST sent back to the client.

This is running on LTM 10.2.4HF3


 Set DEBUG to 1 to get debug-logging of this iRule in /var/log/ltm
when RULE_INIT {
  set DEBUG 1
}
when CLIENT_ACCEPTED {
    if { $::DEBUG }    {log local0. "Client connected [IP::client_addr] "}
    TCP::collect
}
when CLIENT_DATA {
       
     Save payload
         set payload [TCP::payload]
   
     If in debug mode, log payload of received packet
         if { $::DEBUG } { log local0. "payload <$payload" }
   
     check if payload contains the string we want to replace
   
    if { [TCP::payload] contains "CN=adminbh" } {
         If in debug mode, log that the payload matched
        if { $::DEBUG } { log local0. "payload matched" }
        pool pool_bh
    }
   
    if { $::DEBUG } { log local0. "Release TCP connection" }
    TCP::release
}

Any ideas?

Thanks

Ian

application delivery
dev
devops
iRules

7 Replies

Sort By
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Sep 25, 2012
    When I don't have a Client SSL profile assign to the virtual server the rule works fine.

     

    That means the traffic is not SSL.

     

    With a SSL profile assign

     

    Nothing should work anymore. Normal.

     

     

     

    No?
  • Ian_Johnson_382's avatar
    Ian_Johnson_382
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2012

    We have checked the incoming traffic and it is SSL. I have captured the request and can see the SSL handshake and using ssldump I can see the LDAP query being sent.

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Sep 25, 2012
    How could one match the string "CN=adminbh" in SSL encrypted payload?

     

     

    Do you mean to say the iRule works for LDAP, but when you use LDAPS on the client and enable client_ssl profile, it then does not work?

     

     

    Does terminating SSL itself work, regardless of any iRule?
  • Ian_Johnson_382's avatar
    Ian_Johnson_382
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2012

    Here is the Virtual server configuration

    With the clientssl profile

    
virtual vs__ldaps {
snatpool mimecast_snat
destination x.x.x.x:ldaps i
p protocol tcp
rules ldap-redirect
profiles {
ssl_ldap { clientside }
tcp-lan-optimized { serverside }
tcp-wan-optimized { clientside }
}
}