Forum Discussion

usend_209769's avatar
usend_209769
Icon for Nimbostratus rankNimbostratus
Jul 03, 2015

Control data sent in SSL

Hi,

 

I have a F5 machine working as a SSL terminator, data from client to F5 go encrypted under SSL, from F5 to sever go clear.

 

Client needs that all binary information (response at application level) from server come in the same SSL packet, but F5 sends it in different SSL packets, it receive information from server and send to client encrypted.

 

I need F5 don't send information to client until a particular binary code is detect, then it should send all the information in the same SSL packet to client.

 

Is possible to do this with an Irule?

 

Thanks.

 

application delivery
devops
iRules
LTM

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 04, 2015

    In lieu of a better answer, I'm going to have to say sure, it could probably do that. But I'm going to caveat that statement with two conditions:

     

    1. LTM is a full proxy. You'll always get separate layer 4 connections on each side of the proxy, and if you terminate (and optionally re-encrypt) SSL, you'll get separate SSL sessions on each side of the proxy.

       

    2. It would be very helpful if you could elaborate on what it is you're trying to do.

       

  • usend_209769's avatar
    usend_209769
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2015

    As an example, I get a response of 3MB from a server to F5 and I need that F5 send this information to client in a only one SSL packet. (Maximum SSL payload is bigger than any response from server)

    A soon as information from server arrives to F5, this sends information to client (in different SSL packets) so I try this rule so all the information from server is stored in F5 and finally this send all information together to client with the hope that all information is sent in only one SSL packet.

    But information is sent in different SSL packets of a payload of 1480 bytes. Is possible to force F5 to send all the information in only one SSL packet?

    when CLIENT_ACCEPTED {
       TCP::collect
}


when CLIENT_DATA {
      set tcplen [TCP::payload length]

      if { $tcplen >= 3176448 } {
         TCP::release
         TCP::collect
     }
}
  • usend_209769's avatar
    usend_209769
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2015

    This is my exact irule:

    when SERVER_CONNECTED {
    set inside 0
    TCP::collect
}

when SERVER_DATA {
    if { $inside == 0} {
        set field_offset 0
        set cipherList_len 2
        if { [TCP::payload] start_with "00" } {
            set inside 1
        } else {
            TCP::release
            TCP::collect
        }
    }
    if { $inside == 1 } {
        if { [TCP::payload] ends_with "ff" } {
            set inside 0
            TCP::release
            TCP::collect
        }
    }
}

    When I receive an answer from server that starts with "00" I save all the data in F5 until I receive a "ff", the indication of the final of the answer. The connection between F5 and server is unencrypted, and between client and F5 SSL is used.

    When I receive "ff" I send all data to the client. I need that all data goes in the same SSL packet, this is the reason because I do this irule, to try that F5 send the data at the same time to the client. But F5 send the information in various ssl packets, in my last test with a payload of 1464.

    Anybody knows if its possible to force F5 to send all data in a SSL packet?

    Thanks.