Forum Discussion
NimbostratusHow to setup internal virtual server and get TLS 1.3 keys from external virtual server via sideband?
Hi,
We have started evaluating LTM and as part of integration for decrypting PFS with BIG-IP VE , I have attempted to create internal virtual server to which a sideband connection from external virtual server is made via iRule, but we are seeing issue while creating sideband connection.
I have used UI to create internal virtual server and I would like to check what configuration should we need to use for internal virtual server so that we can have successful sideband connection ?
In the iRule of External virtual server we are able to get TLS 1.3 keys in CLIENT_HANDSHAKE but we are not able to connect to internal virtual server and send those keys. Any help resolving this issue is appreciated.
Internal Virtual server config:
Type: Standard,
Destination 1.1.1.1 (non routable ip) , Port : <Port of internal node>
Profiles: tcp
Oneconnect
Pool: Internal Server pool which has one member listening for http requests.
External Virtual server:
Default config, uses iRule to get TLS 1.3 keys and send them to Internal server.
Ram_ParanandiHi,
I am now able to see traffic being forwarded to internal virtual server when I removed and added new internal virtual server with default config and profile as tcp. If I change profile to http it is not working.
I am also seeing that internal virtual server is sending traffic to its pool node but currently over http port as tcp data and it is receiving Unauthorized error from node as it needs authentication.
Next step is how can we set authentication parameters to internal virtual server or pool node, such that it can authenticate and send data to node via http?- Daniel_Wolf
MVP
Hi Ram_Paranandi,
what are you trying to achieve actually? To log TLS13 secrets off box so that you can later decrypt the traffic recorded?
KR
Daniel - Ram_Paranandi
Hi Daniel_Wolf ,
Yes, similar to that. Post/copy TLS 1.3 secrets to an internal device API listening on http/https.
- Daniel_Wolf
I'm out. Since you did not further specify your requirements I must assume that you plan do record sensitive data from a production environment. I have a bad feeling about permanently storing such data without any filters.
- Ram_Paranandi
We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility...
Deployment:External Client ----> Big IP ------> Internal Servers
External Virtual Server
|
| TLS 1.3 keys (Sideband TCP)
v
BigIP Internal Virtual Server ---------> Pool (HTTP/HTTPS) ---> Pool Device (HTTP/HTTPS Internal Detection Device )
In this deployment from External Virtual Server to Internal Virtual Server the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?
- Ram_Paranandi
We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility...
Deployment:External Client ----> Big IP ------> Internal Servers
External Virtual Server
|
| TLS 1.3 keys (Sideband TCP)
v
BigIP Internal Virtual Server ---------> Pool (HTTP/HTTPS) ---> Pool Device (HTTP/HTTPS Internal Detection Device )
In this deployment from External Virtual Server to Internal Virtual Server the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?
