Forum Discussion
Jeff_Mattson_44
Nimbostratus
NimbostratusAccess to Decrypted SSL Data
I am looking for a quick sanity check...
My destination service is determined by data inside of an SSL-encrypted packet.
The only way to process decrypted packet data on an SSL-terminating virtual service is to pass it in plaintext to another virtual service using a loopback net, right? (At least I gather this from previous forum posts.) I've got this implemented, but am hoping there is a better way!
The stream::match stuff won't work for me because that gives access to the stream on its way to a destination, right? And I don't have a destination until I read the packet.
Thanks!
Jeff
3 Replies
- Jeff,
If you're terminating SSL at the BIG-IP you'll be able to do whatever you want with the packet data in plaintext with just one Virtual Server. There's no need to forward it to another. What is it you're trying to accomplish?
Colin 
Michael_Koyfma1Cirrus
Here is what has been said regarding this topic back in 2005 by one F5 developers:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=4638- Unfortunately, for SSL connections, you must first collect the data before it can be decrypted. The CLIENT_* events occur before the SSL termination occurs so you cannot inspect the decrypted content. The protocol handlers HTTP/etc, occur after the decryption occurs (if you have a clientssl profile enabled) so from within those you can inspect the data. Unfortunately, without using a redirect to another virtual server as suggested in the above post, it's not possible unless you are using something like HTTP.
-Joe
