For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Philip_Jonsson_'s avatar
Philip_Jonsson_
Icon for Altocumulus rankAltocumulus
Oct 23, 2018

Extracting SSL Certificate Issuer from Server Side Connection

Hello!   I'm currently trying to build an iRule to extract the SSL Certificate Issuer from the Server Side Connection. All of the examples I have seen is based on the Client Side.   To give you...
application delivery
iRules
Secure Web Gateway
serverssl
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 23, 2018

Well no. SERVER_DATA is a server-side event and typically triggers with a TCP::collect in the SERVER_CONNECTED event, which itself is triggered on a server side (node to BIG-IP) TCP handshake. The issue here is that you're looking for traffic coming from the BIG-IP, and aside for a few exceptions, there aren't iRule events for traffic leaving the BIG-IP. In other words, anything you do in SERVER_DATA is relative to traffic coming from the server, which in this case is the remote Internet host.

The only option you really have for capturing client-side traffic coming from the BIG-IP to the client is to layer a VIP in front of this VIP. This external layered VIP wouldn't do any SSL, just simple TCP pass-through.

when CLIENT_ACCEPTED {
    virtual internal_vip
}

But it would see all of the TLS traffic coming from the SSLFWD configuration and could extract that information, albeit with TCP binary iRules processing.