behavior of SSL::disable serverside
Hello!
I've configured an https virtual server, with an associated iRule that chooses the server pool according to the URI.
The only unusual thing is that some of the pools have SSL servers and others use plain HTTP. Due to that, along with the 'pool' instruction I have also inserted a SSL::disable statement. Both client- and server-side SSL profiles are configured in the virtual server.
Tests have shown that traffic works fine. However, the ltm log is full of messages like this:
tmm[22695]: 01260009:4: 10.x.x.11%2:9090 -> 10.x.x.10%2:64337: Connection error: ssl_null_parse:3708: alert(10) invalid record type
tmm[22695]: 01260013:4: SSL Handshake failed for TCP 10.x.x.11%2:9090 -> 10.x.x.10%2:64337
I can show a sample of the iRule section that performs the pool choice, it's a 'switch' statement that looks like this:
switch -glob [string tolower [HTTP::uri]] {
"/path1/*" {
pool POOL-path1
persist cookie insert cookie1
}
"/path2/*" {
pool POOL-path2
persist cookie insert cookie2
}
"/path3/*" {
SSL::disable serverside
pool POOL-path3
}
}
That "10.x.x.11%2:9090" in the log line is a pool member from POOL-path3, no doubts whatsoever.
The message makes it look like SSL is not being disabled - not at first - but the fact that the client receives content from /path3 is more than enough proof that SSL was disabled at some point. So how do I get this to work as expected? (with the benefit of cleaning my ltm log...) I haven't found any relevant information on KB articles or devcentral posts.
There is one devcentral post - https://community.f5.com/t5/technical-forum/ssl-disable-serverside/m-p/207774 - with a similar request. The proposed answer was never validated, but it's the same as my recipe above, except for the logging line. Anyway, I don't have a problem with the iRule not working... I have a problem with filling the log with trash, and possibly a performance issue if this goes into production as it is.
/Mike
Better give the config of list ltm virtual xxx and serverside tcpdump to watch whether F5 send clienthello to this pool member
modify this iRules to test:
when HTTP_REQUEST { set usessl 0 switch -glob [string tolower [HTTP::uri]] { "/path1/*" { set usessl 1 pool POOL-path1 persist cookie insert cookie1 } "/path2/*" { set usessl 1 pool POOL-path2 persist cookie insert cookie2 } "/path3/*" { set usessl 0 # SSL::disable serverside pool POOL-path3 } default { set usessl 1 } } } when SERVER_CONNECTED { log local0. "usessl value is $usessl" if { $usessl == 0 } { SSL::disable } }