Jeff_Mattson_44
Jan 24, 2007Nimbostratus
SSL termination -- race condition?
Hi,
I'm using Big-IP v9.1.2.
I have a virtual with a basic client ssl profile but without a default pool.
I'm setting the destination in an irule using a node statement in the CLIENTSSL_HANDSHAKE event.
As soon as the ssl handshake is completed (successfully), the client gets a tcp-reset packet (The Big-IP never tries to reach the server; the log shows the log statement from the irule).
Interestingly, I can get a good connection in any of the following situations:
(1) the ssl client requests a weak cipher, like the 40-bit Export algorithms.
(2) an http virtual uses an http profile (I'm not using http; I just tested behavior with it).
(3) the virtual has a default pool.
It seems like the node command in the CLIENTSSL_HANDSHAKE event doesn't execute before the F5 expects to have a destination. I'm curious as to why it works with the Export ciphers and not any others?
Ultimately, I need to direct traffic based on decrypted SSL payload, via Stream::collect or however it is made available. I'm concerned that maybe this tcp reset will affect me when we get to that point.
Perhaps newer version's have addressed this? I'm going to upgrade and test, but thought I'd ask now anyhow, since I'm probably just missing something fundamental.
Thanks for any clarification.