Forum Discussion
grabarz666
Nimbostratus
NimbostratusiRule client auth header
Hi All,
I am looking for an assistance on issue I'm facing with one of our applications.
Our setup is as follows:
client > F5 (SSL offload client/server profile) > backend server
- We SSL offloading on F5 with client profile set to use external SSL certificate and server profile to use internal SSL certificate
- Client SSL profile is set to:
- Require auth
- frequency once
- CA bundle is provided for the client's cert verification
- Server SSL profile is standard set
- We have iRule which passes the .x509 header onto the backend so source and destination can auth directly
when CLIENTSSL_CLIENTCERT {
log local0.info "First line ---- Session ID: [SSL::sessionid] Cert ID: [SSL::cert 0]"
set error_code [SSL::verify_result]
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq ""}{
log local0.info "Cert verify result - [X509::verify_cert_error_string $error_code]"
session add ssl [SSL::sessionid] [SSL::cert 0]
log local0.info "Session ID: [SSL::sessionid] Cert ID: [SSL::cert 0]"
return
}
}
when HTTP_REQUEST {
set id [SSL::sessionid]
set the_cert [session lookup ssl $id]
set error_code [SSL::verify_result]
log local0.info "Second line ---- Session ID: [SSL::sessionid] Cert ID: [SSL::cert 0]"
if { $the_cert eq ""} {
log local0.info "Cert verify result - [X509::verify_cert_error_string $error_code]"
SSL::session invalidate
SSL::authenticate once
SSL::authenticate depth 9
SSL::cert mode require
SSL::renegotiate enable
SSL::renegotiate
log local0.info "Renegotiating session..."
} else {
log local0.info "SSL certificate found, inserting .x509 into HTTP request, cert verify result - [X509::verify_cert_error_string $error_code]"
HTTP::header insert X-Client-Cert [X509::whole $the_cert]
HTTP::uri /new_uri
log local0.info "Third line ---- Session ID: [SSL::sessionid] Cert ID: [SSL::cert 0]"
}
}
grabarz666Eventually the above set up works, but we get occassions (3-4 times per hour on less frequent traffic) when application breaks. NORMAL SESSION (bottom to up order) - SSL handshake first followed by HTTP_REQUEST: =================================================================================== Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : Third line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0† Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : SSL certificate found, inserting .x509 into HTTP request, cert verify result - ok Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : Second line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/etn.crt04 Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : Cert verify result - ok Mon Dec 4 20:42:30 GMT 2017 info xyz tmm2[14307] Rule /Common/irule-xyz : First line ---- Session ID: 6bec8b8b1dd0fb69efaa0c4a48b409f9c7f3d59ccc2826557479aaa18fbaea18 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010U0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !0U0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0† BROKEN SESSION:(bottom to up order) - it seems like renegotiation as HTTP_REQUEST happens first ?, then CLIENTSSL_CLIENTCERT event does not re-call another HTTP_REQUEST as is normal session): ============================================================================================================================================================================ Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : Session ID: 6bec8b8b1dd09d6aefaa0c4a48b40cf93e8a72763551dfe67479aaa18fbae2e8 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/etn.crt04 Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : Cert verify result - ok Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : First line ---- Session ID: 6bec8b8b1dd09d6aefaa0c4a48b40cf93e8a72763551dfe67479aaa18fbae2e8 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.c Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : Renegotiating session... Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : Cert verify result - ok Mon Dec 4 21:18:30 GMT 2017 info xyz tmm7[14307] Rule /Common/irule-xyz : Second line ---- Session ID: 6bec8b8b1dd09d6defaa0c4a48b40cf93e8a72763551dfef7479aaa18fbae398 Cert ID: 0‚0‚þ ��š0 *†H†÷ ��010Uxyz xyz xyz0ReplaceWith 170102135806Z 190102135806Z0U1 0 UGB1*0(U !xyz xyz.10Uxyz.xyz.com0‚"0 *†H†÷ ��‚��0‚ ‚��ÔN‰xÉ D÷ôàe½[æ¿i/›¤zÇ:F³¥´È5]Ú»Ûc‰E/òWKm¦�aÝÃm£Úp¾�Sô¡ M\H³¸*î<1{ž»ä¹l²×ò*ReplaceWithó“8!Š}"u~zf¿Ô�èß÷4e^Їr‘RgÖ_HŸÛZ9íКw8ò� <0NKÀ³lWuž±�¸Èäü¼Õv�\zíI¨j@$»ô ¨È.ŠÔ°SÝóùYÍllÕv,îóÀâvh0£½��4Æ6?2>öõzE±„—8<]-@pÁ]²ö{t4;^·4dúÊm„yçMB~; jÝdœ�B&ÉÜ>q ¾û!0,)��£‚$0‚ 0Uefæåœyº2}^sӄ؃..Šs0U0€w,å×ürS––ÌÝ"[]P€>é¾±0Uÿ0ÿ��0U ÿ00 +‚ž90?+3010/+0†http://xyz.xyz.com/etn/ Any pointers would be appreciated. Thanks
Only1masterbla1Cirrus
Looks like SSL check is failing during SSL reneg in phase2. By default SSL cache is maintained for an hour. I would have expected all SSL cert checks to occur within SSL event not under HTTP event. Please also check that oneconenct is enabled for VIP.
- grabarz666
Thanks,
We have event failure sometimes in intervals of 20 minutes... On oneconnect side, this is to send post re-negotiation subsequent HTTP request to the same server? I meant to add pool consist on member only as this is test bed.