For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ken_Cottrell's avatar
Ken_Cottrell
Icon for Nimbostratus rankNimbostratus
Apr 15, 2010

Anyone using the LDAP Proxy iRule with and SSL Virt Host?

We have implemented the LDAP Proxy iRule on a non-ssl Virtual host to send read and write requests to separate pools. When implementing the same iRule for an ssl Virtual host, we are getting a NamingException, bind failed, connect reset. If I replace the iRule with an SSL default pool it works fine so my SSL config is good. Has anyone else done this?

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 20, 2010
    Hi Skynard,

     

     

    If the clientside connection is encrypted and you want to inspect the decrypted payload, I think you'd need to use SSL::collect and SSL::payload on v10.x to handle this. Or in v9.4+ you could use a simple iRule on the existing SSL VIP which uses the command to call a second internal VIP which uses the LDAP proxy iRule enabled.

     

     

    Aaron
  • Ken_Cottrell's avatar
    Ken_Cottrell
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2010
    Thanks for the reply Aaron,

     

     

    I made the following changes to the iRule we are using for non-SSL LDAP traffic, but am still getting simple bind failed, connect reset.

     

    I am also not seeing any log entries for this rule when setting debug on.

     

     

    I changed TCP::collect and TCP::payload with SSL::collect and SSL::payload in the existing iRule.

     

    I also ended up changing:

     

     

    CLIENT_ACCEPTED to CLIENTSSL_HANDSHAKE

     

    CLIENT_DATA to CLIENTSSL_DATA and

     

    SERVER_ACCEPTED to SERVERSSL_HANDSHAKE

     

    SERVER_DATA to SERVERSSL_DATA

     

     

    I also changed TCP::release and TCP::respond to SSL::releae and SSL::respond.