Selecting Server SSL in iRule and iApp
Hi,
I know that this is not usual situation to modify anything in iApp objects. Anyway I did it for some test purposes and something took me off guard.
Setup:
- iApp with
- Client SSL
- Server SSL
iRule with code like that:
set profile "SSL::profile ${ssls}"
if { [PROFILE::exists serverssl] == 1} {
Trying to set profile specified by ssls var
if { [catch {eval $profile}] } {
Setting profile failed - most probably profile
with name specified by ssls var does not exixst
catch {eval $disable}
Client connection should be rejected
reject is triggering LB_FAILED
and HTTP respond can be used
reject
} else {
Hide these commands from the iRule parser (in case no serverssl profile is applied)
set enable "SSL::enable serverside"
if { [catch {eval $enable}] }{
reject
}
}
}
Profile specified in [catch {eval $profile}] is from /Common/ folder
Profile attached to VS is of course from /Common/iapp_name/ folder
Even if there is no error in log and everything looks like success when SERVERSSL_CLIENTHELLO_SEND is triggered (used to set SNI) Server SSL profile reported by [PROFILE::serverssl name] is the one attached to VS.
When no iApp based VS is used profile switching works without issue.
I wonder if this is because new Server SSL should be in the same folder as iApp attached profile, so not in /Common/ but in /Common/iapp_name/?
Piotr