Decrypt AES Cookie outside of the load balancer

Hi MZ,

 

 

I don't think we support decrypting anything encrypted on LTM off LTM right now. I've heard a bit on future plans to support this, but nothing concrete yet.

 

 

For now, you could use an iRule to log the decrypted persistence cookie values on LTM:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/Persistence_Cookie_Logger.html

 

 

Aaron

Thanks Aaron

We're working on getting this documentation up, but it's quite a big task. We also hope to have code to encrypt and decrypt, but I can't 100% promise that. At any rate, it will be several weeks at the least before this is released. I know I've said that "we're working on it" before, but a lot progress has been made: the technical bits have been written up, and we're just working on getting them all digested into a single, approachable document.

Thanks. Even if there isn't a service or an exposed interface to do the decryption on the F5 itself, are the parameters of the current 'encrypt' function public? I could try writing a homegrown script to simulate it but wasn't sure if there was a private cert that cannot be extracted from the LTM.

There's no private cert or other similar information, no. The algorithms could be described sufficiently for you to independently write a decryption program, but they are complicated and non-standard. As I said, those details will eventually be forthcoming. If you absolutely need them now, then you can open a support case and they can be provided to you.

 

 

That said, if you're OK with creating a service on the BIG-IP, why not just write an iRule to do that and expose that VIP only to your internal testers?

That was the initial plan but according to my network admins, the BIG-IP kept assigning a new cookie to the connection instead of decrypting the existing cookie and re-using it. It seemed that the logic to first search for and decrypt the existing cookies was missing. We weren't able to get it working with the iRule but all seems well with the http profile. If you're familiar with this issue or if there's something we missed in our documentation, please let me know.

 

 

Thanks again for your help.

 

 

Could you elaborate on what didn't work for you? The following works for me using iRule encryption:

profile persist my_cookie {
   defaults from cookie
   cookie mode insert
   cookie name "pcookie"
}
rule my_rule {
  when HTTP_REQUEST {
     HTTP::cookie decrypt pcookie "mypassphrase"
     if { [HTTP::uri] == "/cookiedecrypter" } {
       HTTP::respond 200 content "Your cookie decrypted to: [HTTP::cookie value pcookie]"
       return
     }
  }
  when HTTP_RESPONSE {
     HTTP::cookie encrypt pcookie "mypassphrase"
  }
}
virtual http_vip {
   pool http_pool
   destination 10.3.3.127:http
   ip protocol tcp
   persist my_cookie
   rules my_rule
   profiles {
      http {}
      tcp {}
   }
}

Here's some sample output:

[root@v9dev1 root] telnet 10.3.3.127 80
Trying 10.3.3.127...
Connected to 10.3.3.127 (10.3.3.127).
Escape character is '^]'.
GET /cookiedecrypter HTTP/1.1
Host: foobarbaz
Cookie: pcookie=VjGAtYnPEtZUVxw/wVjg5d+fhs8e3MdS5FeP0Z7BOsQEWOSVH4C2fInFFaQB4T62plOUIBp3H1vEytw=

HTTP/1.0 200 OK
Server: BigIP
Connection: Keep-Alive
Content-Length: 47

Your cookie decrypted to: 3355509002.13173.0000

Thanks for the example Spark. But telnet, really? How about netcat? :D

 

 

Aaron

My lawn, get off of it. :D