Forum Discussion

maruf_58474's avatar
maruf_58474
Icon for Nimbostratus rankNimbostratus
Jul 07, 2010

Decrypting stunnel traffic with irule

Hi,

 

I am trying to decrypt stunnel traffic with a specific certificate and sent the decrypted traffic to a pool. I am using version 9.4.8. Of course I want to use to be able to use hardware ssl decryption available on the LTM. Is there a way to do hardware decryption with Irule?

 

thanks

 

application delivery
dev
devops
iRules
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 08, 2010
    Have you tried attaching an SSL profile to the VS? That SHOULD work (i.e. it should the the same as just using openssl s_client or similar to connect to an SSL VS for testing).

     

     

    The protocol used in the tunnel should be immaterial... And the SSL setup between the client (stunnel) and the F5 VS profile should be the same.

     

     

    H
  • maruf_58474's avatar
    maruf_58474
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    The SSL tunnel is ending on a pool of a server right now. I need to get some clients ssl tunnel to be decrypted by the LB for the same existing VS. So for the existing tcp-profile VS, i want to use Irule to redirect traffic. I can redirect to another VS, but I would have to use source nat in this case - which i cannot. So with the irule, I would need to decrypt with a specific certificate using the ssl hardware of course, then redirect to a pool of servers. In doing that I get to keep the source IP of the client.

     

     

    thanks

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 08, 2010
    Assuming I'm understanding you correctly, You could decrypt on the F5 for all traffic and then re-encrypt the client-server traffic for the existing poolmembers that do SSL already. Classic man-in-the-middle. The just write an iRule to check for the client and do what you need to for those clients only.

     

     

    H
  • maruf_58474's avatar
    maruf_58474
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    I cannot decrypt all the SSL traffic on the LB just like that: i need to do testing for a small amount of clients. I wanted to redirect only some traffic to do load testing. If I start decrypting the traffic on the LTM, I am pretty sure that lots of clients will not be able to connect.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    If you define the test clients in a datagroup and add a client SSL profile to the virtual server, you could use an iRule like this to decrypt only their requests and select the correct pool: 

    when CLIENT_ACCEPTED {

    Check if client is a test IP (defined in testers_class)
   if {[matchclass [IP::client_addr] equals testers_class]}{

       Specify a non-SSL pool
      pool non_ssl_pool

   } else {

       Disable the client SSL profile
      SSL::disable

       Specify an SSL pool
      pool ssl_pool

   }
}

    Aaron
  • maruf_58474's avatar
    maruf_58474
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    That would work, thanks. Right now I am using fastl4 profile as some clients' connection only work with this profile. Do you know what tcp profile would perform similarly as fastl4? ( right now I am using performance layer4 as my type of VS, to decrypt traffic I would need to use a standard VS)

     

     

    thanks
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    None will perform as fast as a Performance Layer4 / FastL4 VS as this VS type does minimal handling of the connections. I generally use lan-optimized-tcp for a TCP VS based on feedback from people here.

     

     

    Aaron