Forum Discussion

MattB_MA_170307's avatar
MattB_MA_170307
Icon for Nimbostratus rankNimbostratus
Sep 26, 2014

iRule to Decrypt and then Re-Encrypt outbound traffic

I'm supporting a server that is using a v2 SSL certificate to transmit SOAP data. I need to change the SSL from V2 on the server to V3 which is supported on the F5 LTM. My goal is to take all outbound traffic on the server on port 443, decrypt it, then re-encrypt it and send it along to its destination. I have a stateless router setup on our LTM that acts as a default gateway for the system, I just need to implement the iRule. How can I accomplish this?

 

application delivery
deployment
devops
iRules
LTM
security

5 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 26, 2014

    you need to change the VS type from forwarding to standard in order to apply a client side and server side ssl profile to match you ssl version requirements. i'm not sure you really need an irule here.

     

  • MattB_MA_170307's avatar
    MattB_MA_170307
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2014

    A little more detail here regarding that. My VS is listening on a non-standard port, so clients connecting aren't coming in through 443. Our server receives SOAP data on that non-standard port, then makes additional outbound connections on 443. I need to re-encrypt the outbound server-initiated connections. Should I do this with a new VS and SNAT?

     

  • MattB_MA_170307's avatar
    MattB_MA_170307
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2014

    Here's even more detail- this is the stateless router we have that acts as a gateway for the servers behind the F5: http://packetpushers.net/stateless-routing-f5-ltm/

     

    Since server initiated traffic has to pass through that router, I want to apply an irule that says

     

    When a connection is made from x_pool on port 443 (or better yet, using the https protocol), Decrypt it using x cert then Encrypt it using y cert and send it along to the target out on the internet.

     

    Now, that target will no doubt respond using y's cert, which then will hit the F5, and needs to be re-encrypted using x's cert.

     

    Can that be done?

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 26, 2014

    You cannot do that with the forwarding IP virtual server type you are using, as this virtual is not doing L7 proxy on flows. As i said, you have to create a new VS with you destination IP address as virtual IP and your destination PORT and then play with ssl profile to enforce ssl version you need.

     

  • MattB_MA_170307's avatar
    MattB_MA_170307
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2014

    The problem here is that the destination is always changing. The server processes outbound traffic for a number of different systems out on the Internet. This is why I was looking for an iRule that I can apply to the router, as I know they can process iRules. I also know that iRules can apply certs to outbound packets via SNAT, which according to my understanding is useful when you are dealing with a limited known set of destinations. In this case, we just need to apply a rule to a port based off of a known source address, this being the server.